Splunk Search

how to carry calculations down the pipe for further calculations?

user93
Communicator

Goal: Count the percentage of users that scroll to through each section of a page.

Problem: I know the number of users that visited the page. Each time they scroll past a section, a section id is registered. I want to divide the distinct count of users for each section by the distinct count of page users.

Issue: I get lost between the stats, eventstats, and rename command so I cannot cary my values down the pipe. Basically I need dc(custno) total for page. Then I want to calculate dc(custno) total for section. Then percent by section where the section total is divided by page total.

|eventstats dc(custno) as total
|stats dc(custno) by section
|rename dc(custno) as sectotal
|eval perc=round(sectotal*100/total,2)
|table section,perc

0 Karma
1 Solution

user93
Communicator

Here is the answer:

Name both variables first with an eventstats command. Then evaluate percent. Dedup the section before creating table with percent by section as calculation will otherwise appear for all events.

|eventstats dc(custno) as total
|eventstats dc(custno) as sectotal by section
|eval perc=round(sectotal*100/total,2)
|dedup section
|table section,perc

View solution in original post

0 Karma

user93
Communicator

Here is the answer:

Name both variables first with an eventstats command. Then evaluate percent. Dedup the section before creating table with percent by section as calculation will otherwise appear for all events.

|eventstats dc(custno) as total
|eventstats dc(custno) as sectotal by section
|eval perc=round(sectotal*100/total,2)
|dedup section
|table section,perc

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@user93 ,

Updated:

  |stats dc(custno) as sectotal by section,page
  |eventstats sum(sectotal) as total by page
  |eval perc=round(sectotal*100/total,2)
  |table section,perc
Happy Splunking!

user93
Communicator

No does not work becuse sum adds for each section. This is incorrect. One user can view multiple sections. So where the page total is 200, adding each section on the page is 1,000.

0 Karma

user93
Communicator

I need a value, say value x, for each section. I need value, say value y, for the page. Then I need x*100/y for each section.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Not sure how your data looks like , but from your explanation, try this assuming that you have a page field as well

 |stats dc(custno) as sectotal by section,page
 |eventstats sum(sectotal) as total by page
 |eval perc=round(sectotal*100/total,2)
 |table section,perc
Happy Splunking!
0 Karma

user93
Communicator

No. That is not correct. The is the page. I want total for each section and total for entire search.

I need value of total users for page.
I need value of total users for section.

This is all that is required for a percentage calulation, but the trouble for me is in the syntax because the value is from the same command but different scopes. Distinct Count search total. Distinct Count by section.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Can you share some sample events or sample output (current and expected)?

|eventstats dc(custno) as total
|eventstats dc(custno) as sectotal by section
Happy Splunking!
0 Karma

user93
Communicator

Thanks. I tried the eventstats for both earlier but was later missing the dedup command so the table looked off.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...