Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to divide 2 distinct counts of aggregated values using eval?

fayazvf
New Member
‎12-01-2014 04:22 AM

Hi,

I'm new to splunk and not able to figure out the solution to the problem below.
Query: |eval action=if(field1="value1", "group1", if(field2="value2", "group2", action))| stats dc(id) by action

From the above query, I get the count for values aggregated under group1 and group2. I would also want a field which calculates value for dc("group1") divided upon by dc("group2").

Please let me know how to get it.

Tags (3)
0 Karma
Reply

Tanefo
Path Finder
‎12-17-2014 01:44 AM

hi,
I think that this will have to help you.
You should initially count all the values of Group1 and Group2, then to make a division.
grou1:|eval action=if(field1="value1", "group1", if(field2="value2", "group2", action))| where action="goup1"| stats c by action as GROUP1
group2:|eval action=if(field1="value1", "group1", if(field2="value2", "group2", action))| where action="goup2"| stats c by action as GROUP2
divisioneval Division=GROUP1/GROUP2]

General solution:|eval action=if(field1="value1", "group1", if(field2="value2", "group2", action))| where action="goup1"| stats c by action as GROUP1|appencolds [search ...|eval action=if(field1="value1", "group1", if(field2="value2", "group2", action))| where action="goup2"|stats c by action as GROUP2]| eval Division=GROUP1/GROUP2

0 Karma
Reply

aholzer
Motivator
‎12-01-2014 06:58 AM

Can you provide sample data and sample results? Not sure what exactly you are looking for.

In terms of your dc(group1) / dc(group2), it doesn't work that way, because group1 and group2 are values of the field "action". Distinct count of action [dc(action)], would return only 1 for group1, 1 for group2, and 1 for any other action value you have in the action field.

Are you trying to count the number of results that are action=group1 and the results that are action=group2? For this you can just pipe into "stats count by action", or simply add count after your "dc(id)" to also get the count by action.

Hope this helps

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top