Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combining "stats dc(x)" with "stats dc(x) by y" in same search

bryanfe
New Member
‎03-07-2013 07:12 PM

I am having a ton of trouble expressing this query.

Suppose I have 1,000 distinct people, and 25 cities. Over a time period, each person might visit [0...n] cities.

I want a report which shows, for each city, what percentage of my unique people visited that city? Note that in this report, the percentages won't add up to 100%, since any person might visit more than one city in the time period.

This search gives me the # of unique people and returns one row, value of "1000":

eventtype=visit |stats dc(person) | rename dc(person) as "# Unique People"

This search shows # of unique people who visited each city and returns 25 rows:

eventtype=visit |stats dc(person) by city | rename dc(person) as "# Unique People" | sort -"# Unique People"

What I want is, in Search #2, instead of showing a # of people, I want to show the # of people divided by the total returned in Search #1 (which would be a percentage of the total unique people).

Can anyone help? I've played with append, appendcols, join, appendpipe.. I'm lost.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-08-2013 12:31 AM

totalPeople ends up empty because the first stats drops the person field, you need to swap things around a bit.

... | eventstats dc(person) as totalPeople | stats dc(person) as uniquePeople values(totalPeople) as totalPeople by city | eval percentage = 100*(uniquePeople/totalPeople)
Reply

sideview
SplunkTrust
SplunkTrust
‎03-07-2013 09:59 PM

UPDATED:

eventtype=visit | stats count by city person | eventstats dc(person) as totalPeople | stats dc(person) as visitors last(totalPeople) as totalPeople by city | eval percentage=100*(visitors/totalPeople) | table city percentage

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎03-08-2013 10:12 AM

Oops. I see the problem. I'll update.

0 Karma
Reply

bryanfe
New Member
‎03-07-2013 10:22 PM

Thank you. I tried this, but the "totalPeople" column ends up empty. Not sure why.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...