Developing for Splunk Platform

How to calculate ratio between 2 fields?



I want to calculate a ratio between two fields (i know it suppose to be an easy one but looks like im missing something)

i want to count all the Totals and then check where Total > 200  as latency and count them all 
after i have both of them i want to check if the ration between them is > 0.3


| rename AdditionalData.Total as Total 
| eval Latency=if(Total>200,Total,null()) 
|eval Ratio = Total/Latency


this one returning no results

Labels (1)
Tags (3)
0 Karma


To rephrase, you want to count the number of events where field Total > 200, and compare with total number of events in which field Total exists.  This would be an easy one except our brains tricks us when the field name is Total.  I have been in this type of confusion a lot.

To eliminate this mental trap, instead of "rename AdditionalData.Total as Total", let's "rename AdditionalData.Total as someMetric".

sourcetype="*user-program*" Additional.Data=*
| rename AdditionalData.Total as someMetric
| eval highLatency=if(someMetric>200,1,0)
| stats count sum(highLatency) as highLatency
| eval Ratio = highLatency/count


0 Karma


What are you counting? There doesn't appear to be appear stats command.

Also, if Total is greater than 200, Latency will be the same as Total so Latency/Total will be 1, otherwise Latency will be null so Total/Latency will be null. Given that you are getting no results, this would suggest Total is never greater than 200.

0 Karma


there are lots of total>200
what im trying to calculate is the count of total
the count of where total>200

and then calculate the ratio between them

after i have the result of the ratio i want to check if the ration is > 0.3 and raise an alert 

0 Karma

Ultra Champion

So you want to

| stats count(Total) as total count(eval(Total>200)) as matched
| eval ratio=matched/total
0 Karma

Ultra Champion

I'm not sure what you're trying to achieve. Maybe it's the wording.

Counting usually means that you want to count how many separate events (possibly fulfilling some condition) yoy have.

With your search you're calculating values in every event. It doesn't have anything to do with any counting.

For every event you're calculating a field called Ratio, which can have a value of 1 (if Total was bigger than 200 - in this case Latency is also set to equal to Total an the ratio is obviously 1) or null (if Total is less or equal to 200, Latency is set to null and you can't calculate ratio from null).

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...