Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display the ratio of the sum of two fields?

ruhtraeel
Path Finder
‎10-16-2019 03:02 PM

Hello,
My data looks like this:

urlupdateid=4, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=T, EffectiveDate_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy

urlupdateid=3, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=F, EffectiveDate_correct=F, total_datetypes_correct=0, total_dates_correct=0, total_datetypes=1
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy

urlupdateid=2, urlid=1, payer=Aetna, ReviewDate_datetype_correct=T, ReviewDate_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy

urlupdateid=1, urlid=1, payer=Aetna, PublicationDate_datetype_correct=T, PublicationDate_correct=T, ReviewDate_datetype_correct=T, ReviewDate_correct=T, total_datetypes_correct=2, total_dates_correct=2, total_datetypes=2
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy

I want to show the result of the sum of total_datetypes_correct for each row / total_datetypes for each row in a dashboard.

I tried this search query, but it says "Error in 'stats' command: The argument '(TOTAL_CORRECT)' is invalid.":

source="PCDAccuracy2.txt" host="Arthurs-MacBook-Pro.local" sourcetype="PCDAccuracy"| stats sum(total_datetypes_correct) as TOTAL_CORRECT values(total_datetypes) as total_datetypes | stats sum(total_datetypes) as TOTAL values (TOTAL_CORRECT) | eval total = TOTAL_CORRECT / TOTAL | table total_accuracy total

What am I doing wrong?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ruhtraeel
Path Finder
‎10-16-2019 03:39 PM

Figured it out. I did this:

source="PCDAccuracy2.txt" host="Arthurs-MacBook-Pro.local" sourcetype="PCDAccuracy"| eventstats sum(total_dates_correct) as TOTAL_CORRECT | eventstats sum(total_datetypes) as TOTAL | eval total = TOTAL_CORRECT / TOTAL

View solution in original post

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎10-16-2019 04:22 PM

is this what you are trying to achieve?

| makeresults count=1
| eval data = "urlupdateid=4, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=T, EffectiveDate_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1 host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy;;;urlupdateid=3, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=F, EffectiveDate_correct=F, total_datetypes_correct=0, total_dates_correct=0, total_datetypes=1 host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy;;;urlupdateid=2, urlid=1, payer=Aetna, ReviewDate_datetype_correct=T, ReviewDate_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1 host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy;;;urlupdateid=1, urlid=1, payer=Aetna, PublicationDate_datetype_correct=T, PublicationDate_correct=T, ReviewDate_datetype_correct=T, ReviewDate_correct=T, total_datetypes_correct=2, total_dates_correct=2, total_datetypes=2 host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy"
 | makemv delim=";;;" data
 | mvexpand data
 | eval _raw = data
 | table _raw
 | extract kvdelim="=" pairdelim=", "
 | rename COMMENT as "the above generates data below is the solution" 
 | table total_datetypes_correct total_datetypes
 | eval ratio = round(total_datetypes_correct / total_datetypes, 2)
0 Karma
Reply
Solved! Jump to solution

ruhtraeel
Path Finder
‎10-16-2019 04:57 PM

Not quite; I needed to add all the total_datetypes_correct values together for every event, as well as all the total_datetypes values together for every event, then calculate the ratio from that, rather than calculate the ratio for each event individually.

0 Karma
Reply
Solved! Jump to solution
Solution

ruhtraeel
Path Finder
‎10-16-2019 03:39 PM

Figured it out. I did this:

source="PCDAccuracy2.txt" host="Arthurs-MacBook-Pro.local" sourcetype="PCDAccuracy"| eventstats sum(total_dates_correct) as TOTAL_CORRECT | eventstats sum(total_datetypes) as TOTAL | eval total = TOTAL_CORRECT / TOTAL

0 Karma
Reply
Solved! Jump to solution

ruhtraeel
Path Finder
‎10-16-2019 03:10 PM

I would assume it's because the total_datetypes field no longer exists after the first "stats" command. How would I keep the previous fields?

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...