Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the ratio of fieldA, and if the ratio is greater than 5%, list the top 3 fieldBs associated with fieldA?

jgcsco
Path Finder
‎03-30-2015 11:50 AM

I have following event:

<...>Status1, StateA<....>
<...>Status2,<...>
<...>Status3<...>
<...>Status1, StateB<...>
<...>Status1, StateC<...>

I need to calculate the ratio of Status1 Count / Total Status Count

| stats count(eval(Status =="Status1")) as Status1_Count, count as Status_Count 
| eval ratio=100*round(Status1_Count/(Status_Count),1)

If the ratio is greater than 5%, I need to find out top 3 States associated with Status1. I have been using "append" to do another search get the result for State, but wondering if there is a way to combine the search into one?

Thanks in advance.

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-30-2015 01:46 PM

Assuming that you have fields named Status and State, 

<search terms> | fillnull State value="no state" | stats count by Status State | eventstats sum(count) as StatusCount by Status | eventstats sum(count) as TotalCount | search Status="Status1" | eval percent=100*StatusCount/TotalCount | sort - count

This search first uses fillnull to fill in a "no state" value for the State field if it's missing. We don't care about events that don't have any Status value, but presumably we don't want to exclude the events that have a Status value but no State value.

Then stats gets the unique combinations of Status and State. Then it gets interesting. Eventstats is a lot like stats, except that it leaves the rows untransformed. Instead it paints its output field values onto the same rows. Anyway, eventstats makes a pass through the data, and on each row it will add a field statusCount, that is the number of events in the entire set that have the status value of that row. Then eventstats makes a second pass through, writing on each row a TotalCount field that is, you guessed it, the total count of all events.

Now a search clause narrows us down to only the rows where Status="Status1", an eval calculates our ratio for us, and we sort so that the most common State values will be at the top. If you want the search to return zero results if the radio is less than 5%, that's pretty easy. Also if you want to present the three top States differently.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-30-2015 01:46 PM

Assuming that you have fields named Status and State, 

<search terms> | fillnull State value="no state" | stats count by Status State | eventstats sum(count) as StatusCount by Status | eventstats sum(count) as TotalCount | search Status="Status1" | eval percent=100*StatusCount/TotalCount | sort - count

This search first uses fillnull to fill in a "no state" value for the State field if it's missing. We don't care about events that don't have any Status value, but presumably we don't want to exclude the events that have a Status value but no State value.

Then stats gets the unique combinations of Status and State. Then it gets interesting. Eventstats is a lot like stats, except that it leaves the rows untransformed. Instead it paints its output field values onto the same rows. Anyway, eventstats makes a pass through the data, and on each row it will add a field statusCount, that is the number of events in the entire set that have the status value of that row. Then eventstats makes a second pass through, writing on each row a TotalCount field that is, you guessed it, the total count of all events.

Now a search clause narrows us down to only the rows where Status="Status1", an eval calculates our ratio for us, and we sort so that the most common State values will be at the top. If you want the search to return zero results if the radio is less than 5%, that's pretty easy. Also if you want to present the three top States differently.

Reply
Solved! Jump to solution

jgcsco
Path Finder
‎03-30-2015 03:10 PM

Thanks so much for the clear and detailed explanation. Really helped me understand difference between stats and eventstats.

Reply
Solved! Jump to solution

jgcsco
Path Finder
‎04-08-2015 03:06 PM

Wonder if I can ask a continuing question regarding the above result output, here is what I have:

| where percent > 5 | table percent State count

And the output is like the following: e.g. percent=5.2

percent State count
5.2 State1 A
5.2 State2 B
5.2 State3 C

Since the percent here is the total percent, I would like the result to show as the following:

percent 5.2
State count
State1 A
State2 B
State3 C

Or:

State count percent 5.2
State1 A
State2 B
State3 C

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...