Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Joining two queries and getting a percentage

paul_1994
Path Finder
‎04-26-2013 11:37 AM

I have two queries that I am running and I want to take the results / Count of these queries and divide them. I have seen several variances but I am still having issues trying to get my search correct.

Here is an example of my queries:

index=norlogs sourcetype="devicelog" category="NSException, on wi-fi:"

index=norlogs sourcetype="devicelog" category="FinishLaunching"

I would like to divide the first query by the last query and display a percentage. What would be the best way to accomplish this.

This is working but I am not getting percentages

index=norlogs sourcetype="devicelog" category="NSException"| stats count as TotalA | appendcols [search index=norlogs sourcetype="devicelog" category="FinishLaunching" | stats count as TotalB] | eval Total=TotalB/TotalA

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

emiller42
Motivator
‎04-26-2013 11:49 AM

Try something like this:

index="norlogs" sourcetype="devicelog" category="NSException" OR category="FinishLaunching" | eval A=if(category=="NSException", 1, 0) | eval B=if(category=="FinishLaunching", 1, 0) | stats sum(A) as TotalA sum(B) as TotalB | eval pct=TotalB/TotalA

View solution in original post

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎04-26-2013 11:57 AM

Another working solution --

index=norlogs sourcetype=devicelog category="NSException" OR category="FinishLaunching" 
| stats count by sourcetype,category
| xyseries sourcetype, category, count
| eval pct=NSException / FinishLaunching
Reply
Solved! Jump to solution

paul_1994
Path Finder
‎04-26-2013 01:07 PM

For some reason I could not get this working for me..

Are these the categories? eval pct=NSException / FinishLaunching

Also if my categories are more like this " NSexception 222: helpme" will the above still work?

Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

emiller42
Motivator
‎04-26-2013 11:49 AM

Try something like this:

index="norlogs" sourcetype="devicelog" category="NSException" OR category="FinishLaunching" | eval A=if(category=="NSException", 1, 0) | eval B=if(category=="FinishLaunching", 1, 0) | stats sum(A) as TotalA sum(B) as TotalB | eval pct=TotalB/TotalA
Reply
Solved! Jump to solution

paul_1994
Path Finder
‎04-26-2013 01:08 PM

Yay.. thanks I was able to use this solution.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎04-26-2013 11:57 AM

(yay IRC!)

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...