Solved: How to get a ratio in the search results？

Ameszzz · ‎03-01-2023

Hi experts,

I was stuck in a quandary when I was trying to see which of my customer base was using optimization mode and I needed to get the percentage of optimization patterns used for each org sorted by orgId, so I tried using the following statement.

index=* type=* orgId=*
| eval Mode = case(type ==" non_opt", "None-Optimized", type=="opt", "Optimized")
| stats count by Mode, orgId
| sort count
| stats list(Mode), list(count) by orgId

But so far I only got the number of opt/non-opt users sorted by orgId, actually I want to calculate the value or percentage of opt/(opt + non-opt) and output the result grouped by orgId. How should I do?...

yuanliu · ‎03-02-2023

Something like

index=* type=* orgId=*
| stats count by type, orgId
| eval opt_count = if(type == "opt", count, null())
| stats values(opt_count) as opt_percentage sum(count) as count by orgId
| eval opt_percentage = opt_percentage / count * 100

View solution in original post

Ameszzz · ‎03-05-2023

Thanks all for the help!!!

yuanliu · ‎03-02-2023

Something like

index=* type=* orgId=*
| stats count by type, orgId
| eval opt_count = if(type == "opt", count, null())
| stats values(opt_count) as opt_percentage sum(count) as count by orgId
| eval opt_percentage = opt_percentage / count * 100

ITWhisperer · ‎03-02-2023

Start with something like this

index=* type=* orgId=*
| eval Mode = case(type ==" non_opt", "None-Optimized", type=="opt", "Optimized")
| stats count by Mode, orgId
| eventstats sum(cout) as total by orgId
| eval percent=100*count/total

How to get a ratio in the search results？

count

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?