Splunk Search

Trying to calculate a percentage of results within a range against the total number of events.

donfarland
Explorer

This seems like it should be rather simple, but I'm simply at a loss. All I'm trying to do is:

  • Count the total number of readings from a given sensor.
  • Count the number of readings that are in the allowable range.
  • Calculate the compliance percentage.

I can run the following searches independently without issue, but can't seem to figure out how to put them together.

  • room="106" | stats count as Total
  • room="106" | where S1_Temp>70 OR S1_Temp<76 | stats count as Compliant

All I really need to do is put them together so I can perform the calculation of "round((Compliant/Total),2) as CompliancePct"

The following is what I have so far, but it is interesting to note that the second query returns 28000+ when run alone and 0 in this combined query.

room="106" | stats count as Total | appendcols[| where S1_Temp>70 OR S1_Temp<76 | stats count as In]
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

room="106" | eval Compliant=if(S1_Temp>70 AND S1_Temp<76,1,0) | stats count as Total sum(Compliant) as Compliant | eval CompliancePct=round((Compliant/Total),2)

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this

room="106" | eval Compliant=if(S1_Temp>70 AND S1_Temp<76,1,0) | stats count as Total sum(Compliant) as Compliant | eval CompliancePct=round((Compliant/Total),2)

donfarland
Explorer

I should have known the answer would involve 'eval'. I had played around with i t some, but was trying to combine it with the "where" instead of an "if". Thank you very much, that works perfectly and opened my eyes to a number of other possibilities.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...