Solved: how to carry calculations down the pipe for furthe...

user93 · ‎03-21-2019

Goal: Count the percentage of users that scroll to through each section of a page.

Problem: I know the number of users that visited the page. Each time they scroll past a section, a section id is registered. I want to divide the distinct count of users for each section by the distinct count of page users.

Issue: I get lost between the stats, eventstats, and rename command so I cannot cary my values down the pipe. Basically I need dc(custno) total for page. Then I want to calculate dc(custno) total for section. Then percent by section where the section total is divided by page total.

user93 · ‎03-21-2019

Here is the answer:

Name both variables first with an eventstats command. Then evaluate percent. Dedup the section before creating table with percent by section as calculation will otherwise appear for all events.

View solution in original post

user93 · ‎03-21-2019

Here is the answer:

Name both variables first with an eventstats command. Then evaluate percent. Dedup the section before creating table with percent by section as calculation will otherwise appear for all events.

renjith_nair · ‎03-21-2019

@user93 ,

Updated:

  |stats dc(custno) as sectotal by section,page
  |eventstats sum(sectotal) as total by page
  |eval perc=round(sectotal*100/total,2)
  |table section,perc

Happy Splunking!

user93 · ‎03-21-2019

No does not work becuse sum adds for each section. This is incorrect. One user can view multiple sections. So where the page total is 200, adding each section on the page is 1,000.

user93 · ‎03-21-2019

I need a value, say value x, for each section. I need value, say value y, for the page. Then I need x*100/y for each section.

renjith_nair · ‎03-21-2019

Not sure how your data looks like , but from your explanation, try this assuming that you have a page field as well

 |stats dc(custno) as sectotal by section,page
 |eventstats sum(sectotal) as total by page
 |eval perc=round(sectotal*100/total,2)
 |table section,perc

Happy Splunking!

user93 · ‎03-21-2019

No. That is not correct. The is the page. I want total for each section and total for entire search.

I need value of total users for page.
I need value of total users for section.

This is all that is required for a percentage calulation, but the trouble for me is in the syntax because the value is from the same command but different scopes. Distinct Count search total. Distinct Count by section.

renjith_nair · ‎03-21-2019

Can you share some sample events or sample output (current and expected)?

|eventstats dc(custno) as total
|eventstats dc(custno) as sectotal by section

Happy Splunking!

user93 · ‎03-21-2019

Thanks. I tried the eventstats for both earlier but was later missing the dedup command so the table looked off.

how to carry calculations down the pipe for further calculations?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms