Splunk Search

## How do I do maths with the results of a search for the results that I'm actually after

New Member

I have a search similar to this that gets me stats that are the first step in what I'm after:

index=balloons
| stats count by COLOR

COLOR Count
Grey 6
Purple 5
Orange 27
Red 8
Blue 1
Yellow 9

But I want to know now is what percentage of those that aren't grey are blue or purple. Something to the effect of this:

(Count(Blue) + Count(Purple))/(Count(Purple)+Count(Orange)+Count(Red)+Count(Blue)+Count(Yellow))

Tags (2)
Esteemed Legend

Better yet, like this:

``````index=balloons
| eval foo="bar"
| chart count OVER foo BY COLOR
| eval ANSWER = (Blue + Purple) / Total
``````
Esteemed Legend

Like this:

``````| makeresults | eval raw="Grey 6:::Purple 5:::Orange 27:::Red 8:::Blue 1:::Yellow 9"
| fields - _time
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<COLOR>\S+)\s+(?<count>\d+)\$"
| fields - _raw

| rename COMMENT AS "Everything above generates sample summary data; everything below is your solution; you would start with 'index=baloons | stats count BY COLOR'"

| eval foo="bar"
| xyseries foo COLOR count
| eval ANSWER = (Blue + Purple) / Total
``````
Champion

Try this!

``````index=balloons| stats count by COLOR
| fields - column
| eval your_field=(Blue+Purple)/(Purple+Orange+Red+Blue+Yellow)
``````
SplunkTrust

hello there,
not the prettiest solution, but it works.
try the following search anywhere and see screenshot:

``````  | makeresults count=1
| eval data = "Grey,6;Purple,5;Orange,27;Red,8;Blue,1;Yellow,9"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<color>[^\,]+)\,(?<color_count>\d+)"
| table color color_count
| rename COMMENT as "the above generates data below is the solution"
| search color!=Grey
| eventstats sum(color_count) as total
| eval desired_color = case(color=="Blue",1,color=="Purple",1,1==1,0)
| eval desired_sum = color_count * desired_color
| eventstats sum(desired_sum) as desired_total
| eval percent = round(color_count/total*100, 2)
| eval dsired_percent = round(desired_total/total*100, 2)
``````

screenshot:

hope it helps