Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a derived field using two searches?

SlothB77
Engager
‎09-07-2018 08:42 AM

I want to create a derived field using a search string like so:

(host=HostA sourcetype="SourceTypeA" counter="CounterA" avg(ValueA)) /
(host=HostA sourcetype="SourceTypeA" counter="CounterB" avg(ValueB))

This divides the average value when counter=CounterA by the average value when counter=CounterB. I get an error when I plug this search string into the Splunk dynamic search.

I tried this alternative version:

host=Host sourcetype=SourceType counter=CounterA avg(Value) by GroupByField as numerator
counter=CounterB avg(ValueB) by GroupByField as denominator |

eval quotient= numerator/denominator |
table GroupByField, quotient

but no luck.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎09-07-2018 09:11 AM

@SlothB77,
Try,

host=Host sourcetype=SourceType |stats avg(eval(if(counter=CounterA,ValueA,null()))) as numerator,
                                       avg(eval(if(counter=CounterB,ValueB,null()))) as denominator 
                                       by GroupByField 
|eval quotient= numerator/denominator
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎09-07-2018 09:11 AM

@SlothB77,
Try,

host=Host sourcetype=SourceType |stats avg(eval(if(counter=CounterA,ValueA,null()))) as numerator,
                                       avg(eval(if(counter=CounterB,ValueB,null()))) as denominator 
                                       by GroupByField 
|eval quotient= numerator/denominator
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

SlothB77
Engager
‎09-07-2018 09:17 AM

This code worked without error when I plugged in my values and it returned exactly what I was looking for. Well done!

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎09-07-2018 09:09 AM

Hi @SlothB77,

I just throw a random suggestion out there.

How about:

host=HostA sourcetype="SourceTypeA"
| stats avg(ValueA) AS average_valueA, avg(ValueB) AS average_valueB by counter
| stats values(*) as *
| ratio=average_valueA/average_valueB

Props go to @DalJeanis for help on the last two lines!

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎09-07-2018 09:01 AM

Hi @SlothB77,

please provide us some sample data and an expected output with further clarification on what you are expecting to do.

Unfortunately your SPL is just a mess. And I can't figure out what you are trying to do.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...