Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combining "stats dc(x)" with "stats dc(x) by y" in same search

bryanfe
New Member
‎03-07-2013 07:12 PM

I am having a ton of trouble expressing this query.

Suppose I have 1,000 distinct people, and 25 cities. Over a time period, each person might visit [0...n] cities.

I want a report which shows, for each city, what percentage of my unique people visited that city? Note that in this report, the percentages won't add up to 100%, since any person might visit more than one city in the time period.

This search gives me the # of unique people and returns one row, value of "1000":

eventtype=visit |stats dc(person) | rename dc(person) as "# Unique People"

This search shows # of unique people who visited each city and returns 25 rows:

eventtype=visit |stats dc(person) by city | rename dc(person) as "# Unique People" | sort -"# Unique People"

What I want is, in Search #2, instead of showing a # of people, I want to show the # of people divided by the total returned in Search #1 (which would be a percentage of the total unique people).

Can anyone help? I've played with append, appendcols, join, appendpipe.. I'm lost.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-08-2013 12:31 AM

totalPeople ends up empty because the first stats drops the person field, you need to swap things around a bit.

... | eventstats dc(person) as totalPeople | stats dc(person) as uniquePeople values(totalPeople) as totalPeople by city | eval percentage = 100*(uniquePeople/totalPeople)
Reply

sideview
SplunkTrust
SplunkTrust
‎03-07-2013 09:59 PM

UPDATED:

eventtype=visit | stats count by city person | eventstats dc(person) as totalPeople | stats dc(person) as visitors last(totalPeople) as totalPeople by city | eval percentage=100*(visitors/totalPeople) | table city percentage

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎03-08-2013 10:12 AM

Oops. I see the problem. I'll update.

0 Karma
Reply

bryanfe
New Member
‎03-07-2013 10:22 PM

Thank you. I tried this, but the "totalPeople" column ends up empty. Not sure why.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...