Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I calculate 2 different search result.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leujinlove
Explorer
10-29-2014
05:24 PM
I have 2 search results and I like to calculate them.
first is:
host=Marketing-test1 source="/home/splunker/client_mailInfo.csv" E_mail="*"| dedup E_mail | stats count as "Total A"
second one is:
host=Marketing-test1 source=/home/splunker/client_mailInfo.csv E_mail="*"| dedup E_mail | table E_mail, Company, department, Client | fillnull value=DB | sort 0 E_mail | join E_mail [search host=Marketing-test1 NOT source=/home/splunker/client_mailInfo.csv | table E_mail] | stats count as "Total B"
Finally, I would like to get the result, newvalue= "Total B"/"Total A" * 100
I tried OR, appendcols to get the result I want, but it did not go well.
Could anyone help me to solve the problem?
Thank you in advance.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-29-2014
06:05 PM
Try this
host=Marketing-test1 E_mail="*" | stats count by source,E_mail | eval type=if(source="/home/splunker/client_mailInfo.csv","A","B") | eventstats count(eval(type="A")) as countA | stats first(countA) as countA values(type) as type by E_mail | where mvcount(type)=2 | stats first(countA) as "Total A", count as "Total B" | eval Percent='Total B'*100/'Total A'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-29-2014
06:05 PM
Try this
host=Marketing-test1 E_mail="*" | stats count by source,E_mail | eval type=if(source="/home/splunker/client_mailInfo.csv","A","B") | eventstats count(eval(type="A")) as countA | stats first(countA) as countA values(type) as type by E_mail | where mvcount(type)=2 | stats first(countA) as "Total A", count as "Total B" | eval Percent='Total B'*100/'Total A'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leujinlove
Explorer
10-29-2014
07:07 PM
Thanks a lot.
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
