I woudl like to know, per CountryId, what fraction of FooId equal to BarId
In the follwoing log:
MyEvent CountryId=1 FooId=63407020 BarId=82955997
MyEvent CountryId=1 FooId=63407020 BarId=63407020
MyEvent CountryId=2 FooId=65407020 BarId=207020
So the desired output would be:
CountryId=1 1/2
CountryId=2 0
In pseudo-Splunk Search this would look something along the lines of:
((count(MyEvent) | where FooId != BarId) / count(MyEvent)) by CountryId
But how would I write this query in actual Splunk syntax?
Try like this
your base search giving fields CountryId FooId BarId | eval FooBarEqual=if(FooId=BarId,1,0)
| stats count as total sum(FooBarEqual) as FooBarEqual by CountryId | eval FoolBarEqual=FooBarEqual/total
Try like this
your base search giving fields CountryId FooId BarId | eval FooBarEqual=if(FooId=BarId,1,0)
| stats count as total sum(FooBarEqual) as FooBarEqual by CountryId | eval FoolBarEqual=FooBarEqual/total