Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I divide my other results from one specific result?

sbentley_ea
Explorer
‎11-12-2019 10:26 AM

Currently I have

index=* Name=rateA OR rateB OR rateC OR rateD OR rateE | stats sum(Rate) as sumRate by _time, Name

What I want to do is get the sumRate of all the other rates and then divide them by rateE 's sumRate. I tried doing an appencols to search for rateE separately and then do appendcols [search index=* Name=rateE | stats sum(Rate) as sumRateE by _time, Name ] | eval divided=sumRate/sumRateE but for some reason the time range of the appendcols search was only a fraction of the total time range.

0 Karma
Reply

mayurr98
Super Champion
‎11-12-2019 12:30 PM

try this:

index=* Name=rateA OR Name=rateB OR Name=rateC OR Name=rateD OR Name=rateE 
| stats sum(Rate) as sumRate, sum(eval(if(Name="rateE",Rate,0))) as sumRateE by _time 
| eventstats sum(sumRate) as sumRate sum(sumRateE) as sumRateE 
| eval divided=sumRate/sumRateE
0 Karma
Reply

sbentley_ea
Explorer
‎11-12-2019 01:42 PM

Hi sorry I should I clarified in my questions, how do I then timechart the average divided for each name as a percent? When I try

... | eval divided=sumRate/sumRateE
| timechart avg(divided) as Percent by Name

I don't get anything showing up

0 Karma
Reply

solarboyz1
Builder
‎11-12-2019 11:34 AM

Using the eval in the stats line I get both sumRateE and sumRate, then using eval to divide:

index=* Name=rateA OR rateB OR rateC OR rateD OR rateE 
| stats sum(Rate) as sumRate, sum(eval(if(like(Name,"rateE"),Rate,0))) as sumRateE by _time
| eval divided=sumRate/sumRateE
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...