Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find the percentage between two fields from two sourcetypes

lehrfeld
Path Finder
‎10-25-2013 09:47 AM

I have two sourcetypes - submitters, and recipient_group. I am looking to find the percentage of submitters that are in the recipient_group. If I have 500 submitters and 1000 recipients, my percentage would be 50%. The following search gives me the dc of users in each sourcetype, but I don't have the Splunk knowledge on how to retain those values so I can perform the math. 

sourcetype = submitters OR sourcetype=recipient_group  | eval UserID{sourcetype}=UserID | stats dc(UserIDR*), dc(UserIDS*)

Thanks everyone! Mike

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lehrfeld
Path Finder
‎10-25-2013 11:05 AM

Figured it out. My issue was using the wildcard '*' in the dc command. When I used the entire name - poof!

sourcetype = submitters OR
sourcetype=recipient_group | eval
UserID{sourcetype}=UserID |stats
dc(eval(UserIDRecipient_Group)) as
USERR, dc(eval(UserIDSubmitters)) as
USERS | eval
percentage=(USERS/USERR*100)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lehrfeld
Path Finder
‎10-25-2013 11:05 AM

Figured it out. My issue was using the wildcard '*' in the dc command. When I used the entire name - poof!

sourcetype = submitters OR
sourcetype=recipient_group | eval
UserID{sourcetype}=UserID |stats
dc(eval(UserIDRecipient_Group)) as
USERR, dc(eval(UserIDSubmitters)) as
USERS | eval
percentage=(USERS/USERR*100)

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2013 10:20 AM

what about starting with something like that, then calculate the ratio.
sourcetype=submitters OR sourcetype=recipient_group | chart dc(UserID) by UserID sourcetype | eval in_both=if(submitters==1 AND recipient_group==1,1,0)

Then do the total and clean, then eval a percentage
... | addcoltotals | WHERE isnull(UserID) | table submitters recipient_group in_both

0 Karma
Reply
Solved! Jump to solution

lehrfeld
Path Finder
‎10-25-2013 10:55 AM

yannK - Thanks for the response. To keep it simple, both of our sourcetypes only have one type of data in it. So a simple dc(userID) will give use the count needed to calculate the ratio. I just can't find a way to capture those values to do a calculation on them. I will keep tweaking the code and post back soon (hopefully). Mike

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...