Splunk Search

How do I perform math against two searches?

mo86
New Member

I have two searches that use the same index and each return a numerical total, differing only in the period of time of the data they look at. How would I perform math on the search results for example adding or calculating percentages?

0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust
| makeresults
| fields - _time
| eval Total1=[search index=data NOT ID="" earliest=-1d@d latest=-0d@d | regex name!="[a-z]."| dedup id | stats count | return $count] 
| eval Total2=[search index=data NOT ID="" earliest=-0d@d latest=now | regex name!="[a-z]."| dedup id | stats count | return $count]
| eval FullTotal=Total1+Total2 | eval percentage=((Total1/FullTotal)*100)

View solution in original post

inventsekar
SplunkTrust
SplunkTrust
| makeresults
| fields - _time
| eval Total1=[search index=data NOT ID="" earliest=-1d@d latest=-0d@d | regex name!="[a-z]."| dedup id | stats count | return $count] 
| eval Total2=[search index=data NOT ID="" earliest=-0d@d latest=now | regex name!="[a-z]."| dedup id | stats count | return $count]
| eval FullTotal=Total1+Total2 | eval percentage=((Total1/FullTotal)*100)

mo86
New Member

Thank you, that works great!

0 Karma

inventsekar
SplunkTrust
SplunkTrust

maybe, could you write the 2 queries please..

0 Karma

mo86
New Member

index=data NOT ID="" earliest=-1d@d latest=-0d@d | regex name!="[a-z]."| dedup id | stats count

index=data NOT ID="" earliest=-0d@d latest=now | regex name!="[a-z]."| dedup id | stats count

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...