Developing for Splunk Platform

## How to calculate ratio between 2 fields? Communicator

Hello,

I want to calculate a ratio between two fields (i know it suppose to be an easy one but looks like im missing something)

i want to count all the Totals and then check where Total > 200  as latency and count them all
after i have both of them i want to check if the ration between them is > 0.3

``````sourcetype="*user-program*"
| eval Latency=if(Total>200,Total,null())
|eval Ratio = Total/Latency``````

Labels (1)
• ### Other

Tags (3)  SplunkTrust

To rephrase, you want to count the number of events where field Total > 200, and compare with total number of events in which field Total exists.  This would be an easy one except our brains tricks us when the field name is Total.  I have been in this type of confusion a lot.

``````sourcetype="*user-program*" Additional.Data=*
| eval highLatency=if(someMetric>200,1,0)
| stats count sum(highLatency) as highLatency
| eval Ratio = highLatency/count``````  SplunkTrust

What are you counting? There doesn't appear to be appear stats command.

Also, if Total is greater than 200, Latency will be the same as Total so Latency/Total will be 1, otherwise Latency will be null so Total/Latency will be null. Given that you are getting no results, this would suggest Total is never greater than 200. Communicator

there are lots of total>200
what im trying to calculate is the count of total
the count of where total>200

and then calculate the ratio between them

after i have the result of the ratio i want to check if the ration is > 0.3 and raise an alert Ultra Champion

So you want to

`| stats count(Total) as total count(eval(Total>200)) as matched| eval ratio=matched/total` Ultra Champion

I'm not sure what you're trying to achieve. Maybe it's the wording.

Counting usually means that you want to count how many separate events (possibly fulfilling some condition) yoy have.

With your search you're calculating values in every event. It doesn't have anything to do with any counting.

For every event you're calculating a field called Ratio, which can have a value of 1 (if Total was bigger than 200 - in this case Latency is also set to equal to Total an the ratio is obviously 1) or null (if Total is less or equal to 200, Latency is set to null and you can't calculate ratio from null). Get Updates on the Splunk Community!