Solved: compute the ratio of some specific fields in tota...

hjwang · ‎11-01-2010

Hello,i would like to compute the ratio of some specific fields in total event, for example, in IPS attack event log, i wanna get known with the ratio of scr_ip coming from the specific country in total attack event, it seems straightforward, but i don't know how to use search command.(that is to say the number of events by using src=xxx or src=xxx..., divided by the number of events non-using such condiction), Thanks!!

gkanapathy · ‎11-01-2010

... | stats count(src=="xxx") as xxx_count, count as total_count | eval ratio = xxx_count/total_count

View solution in original post

suminty · ‎12-06-2016

You would need to add eval with stats some thing like
| stats count(eval(rslt=="found")) as cache_hit, count as total_count | eval ratio=cache_hit/total_count,we will need add eval in stats something like:

| stats count(eval(rslt=="found")) as cache_hit, count as total_count | eval ratio=cache_hit/total_count

gkanapathy · ‎11-01-2010

... | stats count(src=="xxx") as xxx_count, count as total_count | eval ratio = xxx_count/total_count

hjwang · ‎11-02-2010

thanks, i try it, but the syntax stats should be count(eval(src="xxx")) as xxx_count

compute the ratio of some specific fields in total event

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!