Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dividingof result from two Hosts

SplunkBaby
Explorer
‎02-11-2014 12:07 AM

Hi

I would like to divide the values from 2 hosts.Is it possible.

Example:
Say i have HostA and HostB.
HostA contains a field which can be used for calculating total.
HostB which contails value to divide.

Ie host=HostA|stats sum(filed) will give 1000.
host=HostB|stats sum(filed) will give 3.
I want to divide 1000/3 in single search query .Is it possible?

0 Karma
Reply

somesoni2
Revered Legend
‎02-11-2014 07:44 AM

Try these

Options 1

host=hostA | stats sum(field) as FieldTotA | appendcols [search host=hostB | stats sum(field) as FieldTotB] | eval division=round(FieldTotA/FieldTotB,2)

Option 2 

| multisearch [search  host=hostA | eval fieldA=field | table fieldA] [search host=hostB | eval fieldB=field | table fieldB] | stats sum(fieldA) as FieldTotA, sum(fieldB) as fieldTotB | eval division=round(FieldTotA/FieldTotB,2)
Reply

kristian_kolb
Ultra Champion
‎02-11-2014 12:41 AM

If the field name is the same you can do it like so (Different sourcetypes rather than hosts in the example below);

index=_internal sourcetype=splunkd_access OR sourcetype=splunkd | stats sum(timeendpos) as summy by sourcetype | stats values(summy) as summy2| eval foo=mvindex(summy2,0) | eval bar=mvindex(summy2,1) | eval result=foo/bar

If the field names are different, it's even easier (bytes in splunkd_access and workers in splunkd);

index=_internal sourcetype=splunkd_access OR  sourcetype=splunkd | stats sum(bytes) as sumb sum(workers) as sumw | eval result = sumb/sumw

/k

Reply

kristian_kolb
Ultra Champion
‎02-11-2014 07:16 AM

Oops, my bad. you need to make sure that the total_sum survives through the stats operation;

host=bob | eventstats sum(field_A) as total_sum | search field_B=X | stats sum(field_A) as X_sum first(total_sum) as total_sum | table X_sum total_sum

NB. Since the eventstats only calculates one value, it does not matter much which stats function (first, last, max etc) you use to preserve it.

0 Karma
Reply

SplunkBaby
Explorer
‎02-11-2014 05:03 AM

Only X_sum is showing in my result.total_sum is blank

0 Karma
Reply

SplunkBaby
Explorer
‎02-11-2014 05:02 AM

Say I have a field Visit my host.
I want to find the total of Visit first.Then i want to filter host with some condition and again want to find the sum for Visit.
I did the query like this
host=ABC|eventstats sum(Visits) as total_sum | search "EMP Code"=BJX |stats sum(Visits) as X_sum.I am getting only second sum ie (X_sum)

0 Karma
Reply

kristian_kolb
Ultra Champion
‎02-11-2014 04:38 AM

Maybe I don't fully understand your question, but if you want make like this (in a pseudo-search-query);

find all relevant events 
| sum(field_1) as total_sum 
| filter to only keep events where user=bob
| sum(field_1) as bob_sum

Then you can use eventstats, which puts the statistic in all events, without altering them/removing information;

host=A | eventstats sum(field) as total_sum | search field1=X | stats sum(field) as X_sum

/K

0 Karma
Reply

SplunkBaby
Explorer
‎02-11-2014 02:18 AM

Thanks I work with second solution(fields different) and it helped me to solve.

For my understanding I have another doubt also.
In the same example if i want to take sum of a field in hostA before and after filtering data how can i proceed.
Ex:
host="hostA" |sum(field) as Beforefilter|field1=A|sum(field)as Afterfilter
Is the above possible?

0 Karma
Reply

MuS
Legend
‎02-11-2014 12:27 AM

Hi SplunkBaby,

a quick way could be the following multisearch:

 | multisearch [ search host=HostA | stats sum(filed) AS fieldA ] [ search host=HostB | stats sum(filed) AS fieldB ] | eval division=fieldA/fieldB | table host filed fieldA fieldB division

I'm pretty sure there are better and more efficient ways to do it, but this will get you started ...

cheers, MuS

0 Karma
Reply

MuS
Legend
‎02-11-2014 04:27 AM

okay, based on /k second example which you used to get it working a multisearch would look like this:

| multisearch [ search index=_internal sourcetype=splunkd_access | eval foo=bytes ] [ search index=_internal sourcetype=splunkd | eval bar=workers ] | stats sum(foo) as sumb sum(bar) as sumw | eval result = sumb/sumw

but this is really not necessary in your use case since you use fields with different names and different sourcetypes. A multisearch is used for other use cases......

0 Karma
Reply

SplunkBaby
Explorer
‎02-11-2014 02:25 AM

When i tried this i got below exception.
Error in 'multisearch' command: Multisearch subsearches may only contain purely streaming operations (subsearch 1 contains a non-streaming command.)

Reply

kristian_kolb
Ultra Champion
‎02-11-2014 12:43 AM

Oops, you're faster (again), but I'll leave my answer as it describes a different solution.

/k

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...