Solved: Mathematic manipulation on 2 separate seraches

ramic · ‎01-07-2014

I want to perform mathematic manipulations on 2 unrelated search results.

i.e. I want to take a result like:
source="xxxx" sourcetype="xxx" eventType="xxx" clientVersion="x.x.x" | stats count as A

and divide it by a completely new search result:
source="yyyy" sourcetype="yyy" eventType="yyy" clientVersion="y.y.y" | stats count as B

A/B

gfuente · ‎01-08-2014

Maybe it will perform better with just one search, like:

(source="xxxx" sourcetype="xxx" eventType="xxx" clientVersion="x.x.x") OR (source="yyyy" sourcetype="yyy" eventType="yyy" clientVersion="y.y.y") | stats count(eval(if(clientVersion="x.x.x",1,null))) as A, count(eval(if(clientVersion="y.y.y",1,null))) as B | eval Results = A/B

Regards

View solution in original post

gfuente · ‎01-08-2014

Maybe it will perform better with just one search, like:

(source="xxxx" sourcetype="xxx" eventType="xxx" clientVersion="x.x.x") OR (source="yyyy" sourcetype="yyy" eventType="yyy" clientVersion="y.y.y") | stats count(eval(if(clientVersion="x.x.x",1,null))) as A, count(eval(if(clientVersion="y.y.y",1,null))) as B | eval Results = A/B

Regards

ramic · ‎01-08-2014

Thank you both, this works.
Still haven't figured how to manipulate multisearch results, used single search instead.

gfuente · ‎01-08-2014

You are right

ddarmand · ‎01-08-2014

It works but parenthesis are wrong

(source="xxxx" sourcetype="xxx" eventType="xxx" clientVersion="x.x.x") OR (source="yyyy" sourcetype="yyy" eventType="yyy" clientVersion="y.y.y") | stats count(eval(if(clientVersion="x.x.x",1,null))) as A, count(eval(if(clientVersion="y.y.y",1,null))) as B | eval Results = A/B

ddarmand · ‎01-08-2014

You can use multisearch for this

| multisearch [search index=a sourcetype="a" | eval type="A"] [search index=b sourcetype=b | eval type="B"]

Mathematic manipulation on 2 separate seraches

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!