Splunk Search

Calculating Kill / Death ratio in a game

khourihan_splun
Splunk Employee
Splunk Employee

I'd like to calculate K/D ratio for the game Insurgency.

I have two searches that can calculate #kills and number of deaths #killer

I'd like to calculate the ration of K v. D's.

index=insurgency  sourcetype="insurgency" killed 
| rex "killed \"(?<killed>.*?)<" 
| rex ":\s+\"(?<killer>.*?)<" 
| stats count by killer

alt text
alt text

alt text
alt text
I'd like the calculate the ration of Kills/Deaths. Any suggestions?

1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this:

  index=insurgency sourcetype=insurgency | rex "killed \"(?<killed>.*?)<" 
   | rex ":\s+\"(?<killer>.*?)<"  | stats count by killer killed | appendpipe [ stats sum(count) as deaths by killed | rename killed as user ]
    | appendpipe [ stats sum(count) as kills by killer | rename killer as user ]| stats sum(deaths) as deaths sum(kills) as kills by user |fillnull value=0
    | eval ratio=if(deaths=0, kills,kills/deaths)

OR

 index=insurgency sourcetype=insurgency | rex "killed \"(?<killed>.*?)<" 
       | rex ":\s+\"(?<killer>.*?)<"  | eval Temp=killed.",Death ".killer.",Kill" | makemv Temp| table Temp| mvexpand Temp| rex field=Temp "(?<User>.*),(?<Action>.*)" | chart count over User by Action | eval ratio=if(Death=0, Kill,Kill/Death)

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this:

  index=insurgency sourcetype=insurgency | rex "killed \"(?<killed>.*?)<" 
   | rex ":\s+\"(?<killer>.*?)<"  | stats count by killer killed | appendpipe [ stats sum(count) as deaths by killed | rename killed as user ]
    | appendpipe [ stats sum(count) as kills by killer | rename killer as user ]| stats sum(deaths) as deaths sum(kills) as kills by user |fillnull value=0
    | eval ratio=if(deaths=0, kills,kills/deaths)

OR

 index=insurgency sourcetype=insurgency | rex "killed \"(?<killed>.*?)<" 
       | rex ":\s+\"(?<killer>.*?)<"  | eval Temp=killed.",Death ".killer.",Kill" | makemv Temp| table Temp| mvexpand Temp| rex field=Temp "(?<User>.*),(?<Action>.*)" | chart count over User by Action | eval ratio=if(Death=0, Kill,Kill/Death)

khourihan_splun
Splunk Employee
Splunk Employee

both these queries worked. thanks somesoni2! and thanks Lisa !!

0 Karma

khourihan_splun
Splunk Employee
Splunk Employee

Hey Lisa,
Thanks, here's what that yielded:

alt text

0 Karma

lguinn2
Legend

Why not

index=insurgency  sourcetype="insurgency" killed 
| rex "killed \"(?<killed>.*?)<" 
| rex ":\s+\"(?<killer>.*?)<" 
| stats count by killer killed
| appendpipe [ stats count as deaths by killed | rename killed as user ]
| appendpipe [ stats count as kills by killer | rename killer as user ]
| stats sum(deaths) as deaths sum(kills) as kills by user
| eval ratio=kills/deaths

There may be a better way, but I just can't think of it.

khourihan_splun
Splunk Employee
Splunk Employee

your correction fixed it. nice job thanks!

0 Karma

yannK
Splunk Employee
Splunk Employee

Splunk all the GAMES LOGS !!!!!!

lguinn2
Legend

Found a typo - I have updated the answer above!

0 Karma

khourihan_splun
Splunk Employee
Splunk Employee

Thanks Lisa,
Sadly this didn't work. I will show the output of the search in the next box.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...