All Apps and Add-ons

How to divide the results of two searches to get an average?

Poonsie
Explorer

I have two searches that return respectively the number total sessions and the number of device crashes. How can I divide sessions by device crashes to get an average?

0 Karma
1 Solution

sundareshr
Legend

Try this

platform=Android sourcetype="mint:Ping" | stats count as total_sessions | appendcols [ search platform=Android sourcetype="mint:error" | stats count as total_crashes ] | eval Average=Total_sessions/Total_crashes

View solution in original post

sundareshr
Legend

Try this

platform=Android sourcetype="mint:Ping" | stats count as total_sessions | appendcols [ search platform=Android sourcetype="mint:error" | stats count as total_crashes ] | eval Average=Total_sessions/Total_crashes

cb_usps
Explorer

2 searches, one division... check.
I created an example doing the math: (ignore the fields I chose, replace with your own)

index=os sourcetype=cpu CPU=ALL | stats avg(pctCPUutil) as CPU_pct | appendcols [search index=os sourcetype=who | stats dc(USERNAME) as NUM_user | fields NUM_user] | eval CPU_per_user=CPU_pct/NUM_user | table CPU_pct NUM_user CPU_per_user

Edit: I tried submitting this yesterday, but Splunk's website refused to post it. It submitted today when I was cleaning up.

Poonsie
Explorer

Thanks for the response, I ended up with a table correctly displaying total_sessions, total_crashes, and Average_crashes. Is it possible to dive deeper into this average_crashes number and divide this number up based on device? I tried the chart command but I wasn't sure how to pull in the 'Average' that I calculated.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

your search1 giving field Total_Sessions | appendcols [search search2 giving field Total_Crashes ] | eval Average=Total_Sessions/Total_Crashes

Poonsie
Explorer

My query looks like this with your advice:

platform =Android sourcetype = "mint:Ping" giving field total_sessions | appendcols [search platform=Android sourcetype="mint:error" giving field total_crashes] | eval Average=Total_sessions/Total_crashes

However it is telling me that "you can only use appendcols after a reporting command such as stats, chart, or timechart"

Thanks somesoni2!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

My answer was sudo code assuming that you already have full query written to get you total_sessions and total_crashes from those two searches. I believe @sundareshr's answer show do the trick for you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...