Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"Field1" can have one value as either yes or no. Calculate count for yes as count1 and count for no

VS0909
Communicator
‎09-07-2020 12:24 AM

"Field1" can have one value as either 'yes' or 'no'. I want to calculate count for 'yes' as count1 and count for 'no'  as count2. Then calculate the ratio of count1 and count2.

Any pointers please

Labels (6)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2020 11:52 PM 
...
| eval count1=if(Field1="yes",1,0)
| eval count2=if(Field2="yes",1,0)
| stats sum(count1) as count1, sum(count2) as count2
| eval ratio=count1/count2
| fields ratio

View solution in original post

Reply
Solved! Jump to solution

VS0909
Communicator
‎09-08-2020 01:07 AM

@ITWhisperer  Thanks! Appreciate it

0 Karma
Reply
Solved! Jump to solution

VS0909
Communicator
‎09-07-2020 11:24 PM

@ITWhisperer  Thanks for the reply.

I am trying to do the above for two fields - field1 and field2 in a single spunk query, but somehow facing issues. 

"Field1" can have one value as either 'yes' or 'no'. "Field2" can have one value as either 'yes' or 'no'.

I want to calculate count for 'yes' as count1 for field1

and count for 'yes'  as count2 for field2. Then calculate the ratio of count1 and count2.

Any pointers please

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2020 11:52 PM 
...
| eval count1=if(Field1="yes",1,0)
| eval count2=if(Field2="yes",1,0)
| stats sum(count1) as count1, sum(count2) as count2
| eval ratio=count1/count2
| fields ratio
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2020 01:47 AM 
| stats count by Field1
| eval count1=if(Field1="yes",count,NULL()) 
| eval count2=if(Field1="no",count,NULL()) 
| fields count1, count2 
| stats values(*) as * 
| eval ratio=count1/count2
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...