Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I perform math against two searches?

mo86
New Member
‎08-30-2018 07:01 AM

I have two searches that use the same index and each return a numerical total, differing only in the period of time of the data they look at. How would I perform math on the search results for example adding or calculating percentages?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎08-30-2018 08:12 AM 
| makeresults
| fields - _time
| eval Total1=[search index=data NOT ID="" earliest=-1d@d latest=-0d@d | regex name!="[a-z]."| dedup id | stats count | return $count] 
| eval Total2=[search index=data NOT ID="" earliest=-0d@d latest=now | regex name!="[a-z]."| dedup id | stats count | return $count]
| eval FullTotal=Total1+Total2 | eval percentage=((Total1/FullTotal)*100)
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎08-30-2018 08:12 AM 
| makeresults
| fields - _time
| eval Total1=[search index=data NOT ID="" earliest=-1d@d latest=-0d@d | regex name!="[a-z]."| dedup id | stats count | return $count] 
| eval Total2=[search index=data NOT ID="" earliest=-0d@d latest=now | regex name!="[a-z]."| dedup id | stats count | return $count]
| eval FullTotal=Total1+Total2 | eval percentage=((Total1/FullTotal)*100)
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

mo86
New Member
‎08-30-2018 08:25 AM

Thank you, that works great!

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-30-2018 07:54 AM

maybe, could you write the 2 queries please..

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

mo86
New Member
‎08-30-2018 07:57 AM

index=data NOT ID="" earliest=-1d@d latest=-0d@d | regex name!="[a-z]."| dedup id | stats count

index=data NOT ID="" earliest=-0d@d latest=now | regex name!="[a-z]."| dedup id | stats count

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...