Is there any way to special the storage ratio? Like 30% log store on indexer A and the other 70% store one indexer B?splunk-enterprisestorageratiosMon, 17 Feb 2020 03:50:30 GMTaojie654How do you calculate ratios of counts to field totals?
base search| stats count as spamtotal by spam
This gives me:
(13 events)
spam / **spamtotal**
===== =====
original / **5**
crispy / **8**
===== =====
What I want is:
(13 events)
spam / eggs / count / **spamtotal** / ratio
==========================
original / AAA / 2 / **5** / 0.4
original / BBB / 1 / **5 ** / 0.2
crispy / CCC / 2 / **8** / 0.25
crispy / DDD / 2 / **8** / 0.25
etc...
==========================
Basically it's a ratio of count to the spamtotal, or a dynamic impact percentage. I feel like this should be easy. But `stats` and eventstats isn't working for me so far. Thank you.splunk-enterprisecalculated-fieldratioratiosWed, 26 Sep 2018 22:09:57 GMTchris94089timechart ratio by model
below is my query
index_ sourcetype=main
| stats count(eval(level="Error")) as ERRORS count(eval(level="Information")) as USAGE by Model osVersion firmware
|eval RATE=round(((EXCEEDED/REQUEST)*100),1)
and I want to time chart the ratio by this three coloums/dimensions **Model, osVersion, firmware**.
Can someone assist me please?timechartsratiosWed, 09 May 2018 19:10:40 GMTsarathipattamHow do I get ratio of counts from one search to counts from another?
I'm using splunk to track events that happen with users in different treatments of a split test. For example, how often do users in treatment 1 register or perform a search vs. users in treatment 2 or treatment 3.
I can see the results to see the raw number of times each event occurred for each treatment using something like the following:
*sourcetype=eventtracking | stats count by eventtype, treatment*
Which produces something like this:
Search treatment1 900
Search treatment2 200
Login treatment1 135
Login treatment2 10
This works great when all the tests are equal - if there are 2 treatments at 50% each for example. But when the tests are unequal, for example if one treatment is at 10% and the other at 90%, it's hard to find meaning in the graphs, because the larger group will always have more events.
I can get a count of how many users are in each group using something like the following:
*sourcetype=eventtracking | stats distinct_count(user_guid) as count by treatment*
Which produces something like this:
treatment1 90
treatment2 10
I'd like to see the number of times an event occurred divided by the number of people in the test group, to even out the playing field. I've tried a number of different things with no luck. How can I combine these queries to see proportional results, something like this:
Search treatment1 10
Search treatment2 20
Login treatment1 1.5
Login treatment2 1
Thanks!subsearchratiosTue, 05 Mar 2013 20:55:13 GMTmariagullicksonCombining two search stats
I have 2 search queries.
sourcetype="zzz" Accepted | stats count as SuccessCases
sourcetype="zzz" Rejected | stats count as FailureCases
Now i need to find the rqtion of both.How ca i do that.Can anyone help me herejoinappendratiosWed, 19 Oct 2011 11:28:52 GMTadityapavan18Aggregating WinEventLogs from 2,000 XP machines, total daily volume 20GB
https://answers.splunk.com/answers/31753/aggregating-wineventlogs-from-2-000-xp-machines-total-daily-volume-20gb.html
So we've 2,000 XP machines generating c.20GB of WinEventLogs. For compliance reasons, we want to log it centrally.
We're considering using universal forwarders on each machine and then using 2- 4 intermediate forwarders to aggregate onto a single indexer.
I've read else where about suggested max ratio of 1000: 1 forwarders to indexer and even of an example of 6000:1 in a similar use case.
If we do use intermediate forwards, what sort of spec should we look at?
G.forwarderindexerratiosWed, 05 Oct 2011 19:19:40 GMTgarfieldconnollyAverage of ratio of two fields?
in source X, I have fields A and B. I want to find the average ratio of two fields per hour. Something like:
`source=X * | stats avg(eval(A/B)) by date_hour`
...which obviously doesn't work. It says I need to rename something or rather...statsratiosThu, 12 May 2011 21:07:59 GMTtravispowell