Solved: Is it possible to divide all individual values in ...

demkic · ‎11-28-2016

Hi there,
I am wondering - is it possible to divide values in field1 by the column total of field1 and create a new field2 to display the result of this calculation? For example, I currently have a field called "errors" where I counted the number of errors per error type and I would like to next take those values per error type and divide it by the total number of errors (aka column total). Is this possible?
Thank you!

BASESEARCH
| stats count(eval(success)) as CompletedTransactions by errorType
| eval percent_failure=round(CompletedTransactions*100/TOTAL, 2)
| sort -percent_failure 
| table errorType CompletedTransactions percent_failure total true false percent
| addcoltotals labelfield=errorType label=TOTAL

vasanthmss · ‎11-28-2016

try something like this..

Once you are grouping the error type use the event stats to find the column total. so the total will be available for your further calculations.

BASESEARCH
    | stats count(eval(success)) as CompletedTransactions by errorType
    | eventstats sum(CompletedTransactions) as columntotal
    | eval percent_failure=round(CompletedTransactions*100/columntotal , 2)
    | sort -percent_failure 
    | table errorType CompletedTransactions percent_failure total true false percent
    | addcoltotals labelfield=errorType label=TOTAL

Newly added or modified pipes are

| eventstats sum(CompletedTransactions) as columntotal
| eval percent_failure=round(CompletedTransactions*100/columntotal , 2)

Description:

Use the eventstats to calcualte the column total and name it as columntotal.
use the columntotal field in the percentage calculation.

Hope this will helps you!!!

V

View solution in original post

vasanthmss · ‎11-28-2016

try something like this..

Once you are grouping the error type use the event stats to find the column total. so the total will be available for your further calculations.

BASESEARCH
    | stats count(eval(success)) as CompletedTransactions by errorType
    | eventstats sum(CompletedTransactions) as columntotal
    | eval percent_failure=round(CompletedTransactions*100/columntotal , 2)
    | sort -percent_failure 
    | table errorType CompletedTransactions percent_failure total true false percent
    | addcoltotals labelfield=errorType label=TOTAL

Newly added or modified pipes are

| eventstats sum(CompletedTransactions) as columntotal
| eval percent_failure=round(CompletedTransactions*100/columntotal , 2)

Description:

Use the eventstats to calcualte the column total and name it as columntotal.
use the columntotal field in the percentage calculation.

Hope this will helps you!!!

V

demkic · ‎11-28-2016

Actually, I do have one more question regarding this. I would like to actually remove one row in my results but do it in such a way that it does not affect my calculation. Here is an example:

errorType, CompletedTransactions, columntotal, and percent_failure are field1, field2, field3, and field4, respectfully.

field1 field2 field3 field4
approved 120 185 0.65
insufficient funds 50 185 0.27
expired card 10 185 0.05
contact issuer 5 185 0.03

In this case, I would like to removed the entire row where field1=approved but I do not want this to affect the calculations. Reason being is that "approved" is not a failure type and I am only interested in observing the proportion of error types given the total number of transactions processed that result in a failure.

Many thanks!

demkic · ‎11-28-2016

It worked, thank you for the great feedback!

Is it possible to divide all individual values in field1 by the column total of field1?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms