Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I do maths with the results of a search for the results that I'm actually after

ruiner314
New Member
‎11-28-2018 02:46 PM

I have a search similar to this that gets me stats that are the first step in what I'm after:

index=balloons
| stats count by COLOR

COLOR Count
Grey 6
Purple 5
Orange 27
Red 8
Blue 1
Yellow 9

But I want to know now is what percentage of those that aren't grey are blue or purple. Something to the effect of this:

(Count(Blue) + Count(Purple))/(Count(Purple)+Count(Orange)+Count(Red)+Count(Blue)+Count(Yellow))

0 Karma
Reply

woodcock
Esteemed Legend
‎11-28-2018 08:38 PM

Better yet, like this:

index=balloons
| eval foo="bar"
| chart count OVER foo BY COLOR
| addtotals row=t col=f
| eval ANSWER = (Blue + Purple) / Total
0 Karma
Reply

woodcock
Esteemed Legend
‎11-28-2018 08:12 PM

Like this:

| makeresults | eval raw="Grey 6:::Purple 5:::Orange 27:::Red 8:::Blue 1:::Yellow 9"
| fields - _time
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<COLOR>\S+)\s+(?<count>\d+)$"
| fields - _raw

| rename COMMENT AS "Everything above generates sample summary data; everything below is your solution; you would start with 'index=baloons | stats count BY COLOR'"

| eval foo="bar"
| xyseries foo COLOR count
| addtotals row=t col=f
| eval ANSWER = (Blue + Purple) / Total
0 Karma
Reply

HiroshiSatoh
Champion
‎11-28-2018 08:01 PM

Try this!

index=balloons| stats count by COLOR
| transpose header_field=COLOR 100
| fields - column
| eval your_field=(Blue+Purple)/(Purple+Orange+Red+Blue+Yellow)
0 Karma
Reply

adonio
Ultra Champion
‎11-28-2018 07:50 PM

hello there,
not the prettiest solution, but it works.
try the following search anywhere and see screenshot:

  | makeresults count=1
    | eval data = "Grey,6;Purple,5;Orange,27;Red,8;Blue,1;Yellow,9"
    | makemv delim=";" data
    | mvexpand data
    | rex field=data "(?<color>[^\,]+)\,(?<color_count>\d+)"
    | table color color_count
    | rename COMMENT as "the above generates data below is the solution" 
    | search color!=Grey
    | eventstats sum(color_count) as total
    | eval desired_color = case(color=="Blue",1,color=="Purple",1,1==1,0)
    | eval desired_sum = color_count * desired_color
    | eventstats sum(desired_sum) as desired_total
    | eval percent = round(color_count/total*100, 2)
    | eval dsired_percent = round(desired_total/total*100, 2)

screenshot:
alt text

hope it helps

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...