Solved: "Field1" can have one value as either yes or no. C...

VS0909 · ‎09-07-2020

"Field1" can have one value as either 'yes' or 'no'. I want to calculate count for 'yes' as count1 and count for 'no' as count2. Then calculate the ratio of count1 and count2.

Any pointers please

ITWhisperer · ‎09-07-2020

...
| eval count1=if(Field1="yes",1,0)
| eval count2=if(Field2="yes",1,0)
| stats sum(count1) as count1, sum(count2) as count2
| eval ratio=count1/count2
| fields ratio

View solution in original post

VS0909 · ‎09-08-2020

@ITWhisperer Thanks! Appreciate it

VS0909 · ‎09-07-2020

@ITWhisperer Thanks for the reply.

I am trying to do the above for two fields - field1 and field2 in a single spunk query, but somehow facing issues.

"Field1" can have one value as either 'yes' or 'no'. "Field2" can have one value as either 'yes' or 'no'.

I want to calculate count for 'yes' as count1 for field1

and count for 'yes' as count2 for field2. Then calculate the ratio of count1 and count2.

Any pointers please

ITWhisperer · ‎09-07-2020

...
| eval count1=if(Field1="yes",1,0)
| eval count2=if(Field2="yes",1,0)
| stats sum(count1) as count1, sum(count2) as count2
| eval ratio=count1/count2
| fields ratio

ITWhisperer · ‎09-07-2020

| stats count by Field1
| eval count1=if(Field1="yes",count,NULL()) 
| eval count2=if(Field1="no",count,NULL()) 
| fields count1, count2 
| stats values(*) as * 
| eval ratio=count1/count2

"Field1" can have one value as either yes or no. Calculate count for yes as count1 and count for no

count

eval

fields

regex

stats

transaction

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)