Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I divide my other results from one specific result?

sbentley_ea
Explorer
‎11-12-2019 10:26 AM

Currently I have

index=* Name=rateA OR rateB OR rateC OR rateD OR rateE | stats sum(Rate) as sumRate by _time, Name

What I want to do is get the sumRate of all the other rates and then divide them by rateE 's sumRate. I tried doing an appencols to search for rateE separately and then do appendcols [search index=* Name=rateE | stats sum(Rate) as sumRateE by _time, Name ] | eval divided=sumRate/sumRateE but for some reason the time range of the appendcols search was only a fraction of the total time range.

0 Karma
Reply

mayurr98
Super Champion
‎11-12-2019 12:30 PM

try this:

index=* Name=rateA OR Name=rateB OR Name=rateC OR Name=rateD OR Name=rateE 
| stats sum(Rate) as sumRate, sum(eval(if(Name="rateE",Rate,0))) as sumRateE by _time 
| eventstats sum(sumRate) as sumRate sum(sumRateE) as sumRateE 
| eval divided=sumRate/sumRateE
0 Karma
Reply

sbentley_ea
Explorer
‎11-12-2019 01:42 PM

Hi sorry I should I clarified in my questions, how do I then timechart the average divided for each name as a percent? When I try

... | eval divided=sumRate/sumRateE
| timechart avg(divided) as Percent by Name

I don't get anything showing up

0 Karma
Reply

solarboyz1
Builder
‎11-12-2019 11:34 AM

Using the eval in the stats line I get both sumRateE and sumRate, then using eval to divide:

index=* Name=rateA OR rateB OR rateC OR rateD OR rateE 
| stats sum(Rate) as sumRate, sum(eval(if(like(Name,"rateE"),Rate,0))) as sumRateE by _time
| eval divided=sumRate/sumRateE
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...