Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I derive a field based on the existing...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
newsplnkr
Explorer
12-03-2018
08:51 PM
Hello All,
I am new to Splunk, and in need of help for below events:
- [testName="MobileExp",experience="FetchOn"]
- [testName="MobileExp",experience="FetchOff"]
- [testName="ProductDesign",experience="A"]
- [testName="ProductDesign",experience="B"]
- [testName="ProductDesign",experience="C"]
- [testName="ProductDesign",experience="B"]
- [testName="ProductDesign",experience="B"]
Using above events, I wanted to derive a field which would have percentage for each "experience" of a "testName". For example, for testName="MobileExp", there are two experiences, each of them appearing exactly once. So, percentage split for the experiences relating to testName="MobileExp" is 50%.
Thank you in advance!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
newsplnkr
Explorer
12-04-2018
08:51 AM
I figured out the answer with the help of @renjith.nair.
The following worked:
"baseSearch"
| eventstats count as testCount by testName
| eventstats count as expTotal by experience
| eval trafficSplit=round((expTotal/testCount)*100,1) | fields - expTotal, testCount
| table testName experience trafficSplit | dedup testName experience trafficSplit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
newsplnkr
Explorer
12-04-2018
08:51 AM
I figured out the answer with the help of @renjith.nair.
The following worked:
"baseSearch"
| eventstats count as testCount by testName
| eventstats count as expTotal by experience
| eval trafficSplit=round((expTotal/testCount)*100,1) | fields - expTotal, testCount
| table testName experience trafficSplit | dedup testName experience trafficSplit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
macadminrohit
Contributor
12-04-2018
09:18 AM
question: why you are deduping at the end ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
newsplnkr
Explorer
12-20-2018
01:35 PM
I did it to remove any duplicate records
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
skoelpin
SplunkTrust
12-04-2018
09:10 AM
Accept the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-03-2018
10:43 PM
@newsplnkr ,
Try
"your base search "|eventstats count by testName,experience
|eventstats sum(count) as total by testName
|eval perc=round((count/total)*100,2)|fields - count,total
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
newsplnkr
Explorer
12-04-2018
05:52 AM
Hi Renjith, unfortunately, the above query does not produce any results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
macadminrohit
Contributor
12-04-2018
08:58 AM
Try this search, replace the base search as per your data :
| makeresults
| eval Data="testName:MobileExp,experience:FetchOn;testName:MobileExp,experience:FetchOff;testName:ProductDesign,experience:A;testName:ProductDesign,experience:C;testName:ProductDesign,experience:B;testName:ProductDesign,experience:B"
| makemv delim=";" Data
| mvexpand Data
| eval Split1=mvindex(split(Data,","),0)
| eval Split2=mvindex(split(Data,","),1) | eval testName=mvindex(split(Split1,":"),1) | eval experience=mvindex(split(Split2,":"),1) | table _time testName experience | eventstats count as test_count by testName experience | eventstats sum(test_count) as Total by testName | eval perc=(test_count/Total*100)
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
