Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display the ratio of the sum of two fields?

ruhtraeel
Path Finder
‎10-16-2019 03:02 PM

Hello,
My data looks like this:

urlupdateid=4, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=T, EffectiveDate_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy

urlupdateid=3, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=F, EffectiveDate_correct=F, total_datetypes_correct=0, total_dates_correct=0, total_datetypes=1
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy

urlupdateid=2, urlid=1, payer=Aetna, ReviewDate_datetype_correct=T, ReviewDate_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy

urlupdateid=1, urlid=1, payer=Aetna, PublicationDate_datetype_correct=T, PublicationDate_correct=T, ReviewDate_datetype_correct=T, ReviewDate_correct=T, total_datetypes_correct=2, total_dates_correct=2, total_datetypes=2
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy

I want to show the result of the sum of total_datetypes_correct for each row / total_datetypes for each row in a dashboard.

I tried this search query, but it says "Error in 'stats' command: The argument '(TOTAL_CORRECT)' is invalid.":

source="PCDAccuracy2.txt" host="Arthurs-MacBook-Pro.local" sourcetype="PCDAccuracy"| stats sum(total_datetypes_correct) as TOTAL_CORRECT values(total_datetypes) as total_datetypes | stats sum(total_datetypes) as TOTAL values (TOTAL_CORRECT) | eval total = TOTAL_CORRECT / TOTAL | table total_accuracy total

What am I doing wrong?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ruhtraeel
Path Finder
‎10-16-2019 03:39 PM

Figured it out. I did this:

source="PCDAccuracy2.txt" host="Arthurs-MacBook-Pro.local" sourcetype="PCDAccuracy"| eventstats sum(total_dates_correct) as TOTAL_CORRECT | eventstats sum(total_datetypes) as TOTAL | eval total = TOTAL_CORRECT / TOTAL

View solution in original post

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎10-16-2019 04:22 PM

is this what you are trying to achieve?

| makeresults count=1
| eval data = "urlupdateid=4, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=T, EffectiveDate_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1 host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy;;;urlupdateid=3, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=F, EffectiveDate_correct=F, total_datetypes_correct=0, total_dates_correct=0, total_datetypes=1 host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy;;;urlupdateid=2, urlid=1, payer=Aetna, ReviewDate_datetype_correct=T, ReviewDate_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1 host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy;;;urlupdateid=1, urlid=1, payer=Aetna, PublicationDate_datetype_correct=T, PublicationDate_correct=T, ReviewDate_datetype_correct=T, ReviewDate_correct=T, total_datetypes_correct=2, total_dates_correct=2, total_datetypes=2 host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy"
 | makemv delim=";;;" data
 | mvexpand data
 | eval _raw = data
 | table _raw
 | extract kvdelim="=" pairdelim=", "
 | rename COMMENT as "the above generates data below is the solution" 
 | table total_datetypes_correct total_datetypes
 | eval ratio = round(total_datetypes_correct / total_datetypes, 2)
0 Karma
Reply
Solved! Jump to solution

ruhtraeel
Path Finder
‎10-16-2019 04:57 PM

Not quite; I needed to add all the total_datetypes_correct values together for every event, as well as all the total_datetypes values together for every event, then calculate the ratio from that, rather than calculate the ratio for each event individually.

0 Karma
Reply
Solved! Jump to solution
Solution

ruhtraeel
Path Finder
‎10-16-2019 03:39 PM

Figured it out. I did this:

source="PCDAccuracy2.txt" host="Arthurs-MacBook-Pro.local" sourcetype="PCDAccuracy"| eventstats sum(total_dates_correct) as TOTAL_CORRECT | eventstats sum(total_datetypes) as TOTAL | eval total = TOTAL_CORRECT / TOTAL

0 Karma
Reply
Solved! Jump to solution

ruhtraeel
Path Finder
‎10-16-2019 03:10 PM

I would assume it's because the total_datetypes field no longer exists after the first "stats" command. How would I keep the previous fields?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...