Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combining "stats dc(x)" with "stats dc(x) by y" in same search

bryanfe
New Member
‎03-07-2013 07:12 PM

I am having a ton of trouble expressing this query.

Suppose I have 1,000 distinct people, and 25 cities. Over a time period, each person might visit [0...n] cities.

I want a report which shows, for each city, what percentage of my unique people visited that city? Note that in this report, the percentages won't add up to 100%, since any person might visit more than one city in the time period.

This search gives me the # of unique people and returns one row, value of "1000":

eventtype=visit |stats dc(person) | rename dc(person) as "# Unique People"

This search shows # of unique people who visited each city and returns 25 rows:

eventtype=visit |stats dc(person) by city | rename dc(person) as "# Unique People" | sort -"# Unique People"

What I want is, in Search #2, instead of showing a # of people, I want to show the # of people divided by the total returned in Search #1 (which would be a percentage of the total unique people).

Can anyone help? I've played with append, appendcols, join, appendpipe.. I'm lost.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-08-2013 12:31 AM

totalPeople ends up empty because the first stats drops the person field, you need to swap things around a bit.

... | eventstats dc(person) as totalPeople | stats dc(person) as uniquePeople values(totalPeople) as totalPeople by city | eval percentage = 100*(uniquePeople/totalPeople)
Reply

sideview
SplunkTrust
SplunkTrust
‎03-07-2013 09:59 PM

UPDATED:

eventtype=visit | stats count by city person | eventstats dc(person) as totalPeople | stats dc(person) as visitors last(totalPeople) as totalPeople by city | eval percentage=100*(visitors/totalPeople) | table city percentage

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎03-08-2013 10:12 AM

Oops. I see the problem. I'll update.

0 Karma
Reply

bryanfe
New Member
‎03-07-2013 10:22 PM

Thank you. I tried this, but the "totalPeople" column ends up empty. Not sure why.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...