Splunk Search

How to get a ratio of two fields based on condition?

Rokas_Strazdas
Engager

Following is the data I have:

  • Time (DD/MM/YYYY 00:00:00)
  • Delay_class (String value, example "B. > 15 MIN" or "A. < 15MIN")
  • NumberOfOccurances (integer, numeric values of traffic count, for example, "314" or "96606")
  • Others (Fields that are not important in this case)

 

What I am trying to do is to show a ratio of the two delay classes with corresponding time limitations (like the ones seen in the example) based on the number of occurrences.

So, for example, on the 4th of June all of the combined NumberOfOccurances for the delay class of "B. > 15 MIN" are 50000, while all of the combined (summed) NumberOfOccurances on the same day for a corresponding delay class "A. < 15MIN" are 1000000, so I'd like to see the ratio of 0,05 shown in a Pivot table of visualization of some sort. How do I achieve that? 

Labels (5)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
Can you share couple of line your events? It’s easier to understand and answer to your question.

Rokas_Strazdas
Engager

Capture1.PNG

Sure, here is an example

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
source="CombinedA.csv" host="DESKTOP-NNPLERL" sourcetype="csv" DELAY_CLASS="*325*"
| bin span=1d _time
| stats sum(NumberOfOccurances) as NumberOfOccurances by _time DELAY_CLASS
| eval limitation=substr(DELAY_CLASS,5,len(DELAY_CLASS)-5)
| eval class=substr(DELAY_CLASS,1,1)
| eval {class}_count=NumberOfOccurances
| table limitation _time *_count
| stats values(*) as * by _time limitation
| eval ratio=A_count/B_count
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...