Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Divide the sum of all fields that end with X whose...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Divide the sum of all fields that end with X whose value == true with the sum of all fields that end with X whose value equals == true | false
ruhtraeel
Path Finder
10-17-2019
11:28 AM
Hello,
My data looks like this:
urlupdateid=4, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=T, EffectiveDate_date_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy
urlupdateid=3, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=F, EffectiveDate_date_correct=F, total_datetypes_correct=0, total_dates_correct=0, total_datetypes=1
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy
urlupdateid=2, urlid=1, payer=Aetna, ReviewDate_datetype_correct=T, ReviewDate_date_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy
urlupdateid=1, urlid=1, payer=Aetna, PublicationDate_datetype_correct=T, PublicationDate_date_correct=T, ReviewDate_datetype_correct=T, ReviewDate_date_correct=T, total_datetypes_correct=2, total_dates_correct=2, total_datetypes=2
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy
I need to basically calculate
For each datetype, Sum of <>_datetype_correct == "T" / Sum of all <>_datetype_correct
So in the end, I would have
EffectiveDate_datetype_correct_ratio = 0.5
ReviewDate_datetype_correct_ratio = 1
PublicationDate_datetype_correct_ratio = 1
where there could be a variable number of datetypes, ie. EffectiveDate, ReviewDate, PublicationDate, RetiredDate, ...
How would I do this?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ruhtraeel
Path Finder
10-17-2019
04:13 PM
I actually ended up doing this:
source="PCDAccuracy2.txt" host="Arthurs-MacBook-Pro.local" sourcetype="PCDAccuracy"
| foreach *_datetype_correct [eval <<FIELD>>_datetype_correct_subtotal = 0]
| fillnull value=0
| foreach *_datetype_correct [eval <<FIELD>>_datetype_correct_subtotal = if('<<FIELD>>' == "true", <<FIELD>>_datetype_correct_subtotal + 1, <<FIELD>>_datetype_correct_subtotal)]
| eventstats sum(*_datetype_correct_subtotal) as *_NUM_CORRECT, sum(*_datetype_correct) as *_datetype_correct_subtotal
| foreach *_datetype_correct [eval <<FIELD>>_datetype_subtotal = 0]
| fillnull value=0
| foreach *_datetype_correct [eval <<FIELD>>_datetype_subtotal = if('<<FIELD>>' == "true" OR '<<FIELD>>' == "false", <<FIELD>>_datetype_subtotal + 1, <<FIELD>>_datetype_subtotal)]
| eventstats sum(*_datetype_subtotal) as *_TOTAL_NUM, sum(*_datetype_correct) as *_datetype_subtotal
| foreach *_datetype_correct [eval <<FIELD>>_CORRECT_RATIO = <<FIELD>>_NUM_CORRECT / <<FIELD>>_TOTAL_NUM]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arjunpkishore5
Motivator
10-17-2019
03:12 PM
Try This
Because of the formatting issues, I have added few extra spaces between the arrows. Also, there is no dot after FIELD.
|stats sum(eval(if(*_correct=="T", 1,0))) as T_*_correct, count(8_correct) as total_*_correct
|foreach T_*_correct [ eval < < MATCHSEG1 > >ratio = < < FIELD. > >/total< < MATCHSEG1 > >_correct]
Here's documentation for foreach - https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Foreach
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arjunpkishore5
Motivator
10-17-2019
12:47 PM
For ReviewDate_datetype_correct, you would do this
|stats sum(eval(if(ReviewDate_datetype_correct=="T", 1,0))) as ReviewDate_datetype_correct_T, count(ReviewDate_datetype_correct) as total_ReviewDate_datetype_correct
|eval ReviewDate_datetype_correct_ratio = round((ReviewDate_datetype_correct_T/total_ReviewDate_datetype_correct),2)
Similarly for the other 2 dates.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ruhtraeel
Path Finder
10-17-2019
01:33 PM
Hi. the datetypes like "ReviewDate" and "PublicationDate" can't be hardcoded because the list can change.
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
