Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate ratios using a single previously calculated value to divide by?

Magrilloc
New Member
‎05-26-2016 11:42 AM

I am calculating a bunch of rates and I would like to take all of the rates I have calculated and divide by one of the previously calculated rates. I can get the first two columns below no problem. Here is the search I am currently using (made to be generic): 

index=index Env=myEnv Name=requests | stats sum(Rate) as avgRate by _time, Server | stats avg(avgRate) as AvgRate by Server

alt text

Preview file
5 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎05-26-2016 02:49 PM

If you need 500 from your list, then you can use something like this:

index=index Env=myEnv Name=requests | stats sum(Rate) as avgRate by _time, Server | stats avg(avgRate) as AvgRate by Server | eventstats last(rate) AS lastRate min(rate) AS minRate | eval lastRatio = rate / lastRate | eval minRatio = rate / minRate
0 Karma
Reply

somesoni2
Revered Legend
‎05-26-2016 02:19 PM

Assuming previously calculated rate is the last available rate OR minimum rate (based on your sample values), try like this

index=index Env=myEnv Name=requests | stats sum(Rate) as avgRate by _time, Server | stats avg(avgRate) as AvgRate by Server | eventstats min(AvgRate) as previousRate | eval Ratio=AvgRate/previousRate

You can replace min(AvgRate) by last(AvgRate) OR any other appropriate function.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-26-2016 11:55 AM

Which is the previously calculated rate you want to use?

It appears 500 is what you want to use but it's a bit confusing... see if this gives you ideas:

... | stats sum(Rate) as sumRate by Server,_time | eval ratio=sumRate/[search ... | stats avg(avgRate) as avgRate | return $avgRate] | table _time, Server, sumRate, ratio
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...