when addcoltotals some need sum ,and another need divide .eg. addcoltotals total per/count . Could you tell me how to do it? Thanks!
Now my search have a flaw, it run same search index=summary_user_info_exreport two times
Hi, Masa. My mean is using divide under addcoltotal in the same line , Or other command i can use it to arrive my destition
时间 门户 UU总数 登录总次数 平均次数
1 12/03/05 mt 251375 586442 2.33
2 12/03/05 wap 7120 802 0.11
3 12/03/05 www 14202 41542 2.93
4 90899 628786 1.79
The lase line Viz the forth line 90899 is average 628786 is sum and 1.79 is average
My saved search :
index=summary_user_login_exreport PORTAL=* USERFLAG=* SEX=* AGE=* PROVINCE=* CITY=* SERVICENAME=* CUSTOMMADE=* PLATFORM=* APN=* LOGINSUM=|mm_DEVICENAME_nomoralized
| rename OUTPUTDEVICENAME as DEVICENAME|search DEVICENAME=|eval time=strftime(_time, "%y/%m/%d") |stats sum(UU) as uu,sum(LOGINSUM) as total by time PORTAL|eval per=round(total/uu,2)|append [search index=summary_user_login_exreport PORTAL=* USERFLAG=* SEX=* AGE=* PROVINCE=* CITY=* SERVICENAME=* CUSTOMMADE=* PLATFORM=* APN=* LOGINSUM=|mm_DEVICENAME_nomoralized
| rename OUTPUTDEVICENAME as DEVICENAME|search DEVICENAME=|eval time=strftime(_time, "%y/%m/%d") |stats sum(UU) as uu,sum(LOGINSUM) as total by time PORTAL|eval per=total/uu|eventstats count|eval uu=uu/count |eval per=per/count |stats sum(uu) as uu sum(total) as total sum(per) as per]|eval per=round(per,2)|eval uu=round(uu)|rename PORTAL as 门户,uu as UU总数,total as 登录总次数,per as 平均次数 time as 时间
Sorry I do not understand. Hope someone else can help you.
I wonder if you are looking for addcoltotals;
( http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addcoltotals )
or eventstats;
( http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eventstats )
Please try it and see if you can get what you are looking for.
Could you give a little more detail? Example of events and table results you are looking for?