Solved: How can I calculate 2 different search result.

leujinlove · ‎10-29-2014

I have 2 search results and I like to calculate them.

first is:

host=Marketing-test1 source="/home/splunker/client_mailInfo.csv" E_mail="*"| dedup E_mail | stats count as "Total A"

second one is:

host=Marketing-test1 source=/home/splunker/client_mailInfo.csv E_mail="*"| dedup E_mail | table E_mail, Company, department, Client | fillnull value=DB | sort 0 E_mail | join E_mail [search  host=Marketing-test1 NOT source=/home/splunker/client_mailInfo.csv | table E_mail] | stats count as "Total B"

Finally, I would like to get the result, newvalue= "Total B"/"Total A" * 100

I tried OR, appendcols to get the result I want, but it did not go well.
Could anyone help me to solve the problem?

Thank you in advance.

somesoni2 · ‎10-29-2014

Try this

host=Marketing-test1  E_mail="*" | stats count by source,E_mail | eval type=if(source="/home/splunker/client_mailInfo.csv","A","B") | eventstats count(eval(type="A")) as countA | stats first(countA) as countA values(type) as type by E_mail | where mvcount(type)=2 | stats first(countA) as "Total A", count as "Total B" | eval Percent='Total B'*100/'Total A'

View solution in original post

somesoni2 · ‎10-29-2014

Try this

host=Marketing-test1  E_mail="*" | stats count by source,E_mail | eval type=if(source="/home/splunker/client_mailInfo.csv","A","B") | eventstats count(eval(type="A")) as countA | stats first(countA) as countA values(type) as type by E_mail | where mvcount(type)=2 | stats first(countA) as "Total A", count as "Total B" | eval Percent='Total B'*100/'Total A'

leujinlove · ‎10-29-2014

Thanks a lot.

How can I calculate 2 different search result.

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life