Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get a ratio of two fields based on condition?

Rokas_Strazdas
Engager
‎06-03-2021 11:59 PM

Following is the data I have:

  • Time (DD/MM/YYYY 00:00:00)
  • Delay_class (String value, example "B. > 15 MIN" or "A. < 15MIN")
  • NumberOfOccurances (integer, numeric values of traffic count, for example, "314" or "96606")
  • Others (Fields that are not important in this case)

 

What I am trying to do is to show a ratio of the two delay classes with corresponding time limitations (like the ones seen in the example) based on the number of occurrences.

So, for example, on the 4th of June all of the combined NumberOfOccurances for the delay class of "B. > 15 MIN" are 50000, while all of the combined (summed) NumberOfOccurances on the same day for a corresponding delay class "A. < 15MIN" are 1000000, so I'd like to see the ratio of 0,05 shown in a Pivot table of visualization of some sort. How do I achieve that? 

Labels (5)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-04-2021 01:56 PM
Can you share couple of line your events? It’s easier to understand and answer to your question.
Reply

Rokas_Strazdas
Engager
‎06-07-2021 11:03 PM

Capture1.PNG

Sure, here is an example

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-08-2021 01:03 AM 
source="CombinedA.csv" host="DESKTOP-NNPLERL" sourcetype="csv" DELAY_CLASS="*325*"
| bin span=1d _time
| stats sum(NumberOfOccurances) as NumberOfOccurances by _time DELAY_CLASS
| eval limitation=substr(DELAY_CLASS,5,len(DELAY_CLASS)-5)
| eval class=substr(DELAY_CLASS,1,1)
| eval {class}_count=NumberOfOccurances
| table limitation _time *_count
| stats values(*) as * by _time limitation
| eval ratio=A_count/B_count
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...