Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you return a conditional count and grand-total in a query?

skribble5
Explorer
‎12-19-2018 08:30 AM

Hi all,

Novice here. I have two separate queries that are doing a simple calculation each, but I would like to combine them. What would be the best way to do this?

The first query returns the distinct number of users within a data source:

Here is the result which says that the campaign "DM664023" had 297 recipients. The recipients are in the field "user_only"

alt text

The query used to get to that result is: 

sourcetype="xxx" source="yyy" 
campaign_delivery="DM664023"
| stats dc(user_only) as distinctRecipients by campaign_delivery

Then, the second query returns the number of users who have more than one record in the data-source. If a user only has 1 record in the data source, then that person only access the campaign once. If the user has > 1 record in the data source, then that person revisited the campaign.

The second query returns the number of revisits. Here is the result which says that the campaign DM664023 had 117 revisits.

alt text

The query used to get to second result is:

sourcetype="xxx" source="yyy" 
campaign_delivery="DM664023"
| stats count by user_only | where count > 1
| chart count as "Revisits"

Ideally, I want one search which returns the following:

"campaign" | "# total ppl who accessed the campaign" | "number of people who accessed campaign more than once | % of people who revisited campaign
DM664023 | 297 | 117 | 39.39%
campaign2 | x | y | y/x
campaign3 | a | b | b/a

Any help will be greatly appreciated!

Thanks!

Tags (2)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vijeta
Influencer
‎12-19-2018 09:05 AM

Try this if it works-

sourcetype="xxx" source="yyy" 
 campaign_delivery="DM664023"
 | eventstats count as revisit by user_only | stats dc(user_only) as distinctRecipients , count(eval(revisit>1)) as Revisit by campaign_delivery| eval perc= Revisit/distinctRecipients*100 | table campaign_delivery Revisit distinctRecipients perc

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Vijeta
Influencer
‎12-19-2018 09:05 AM

Try this if it works-

sourcetype="xxx" source="yyy" 
 campaign_delivery="DM664023"
 | eventstats count as revisit by user_only | stats dc(user_only) as distinctRecipients , count(eval(revisit>1)) as Revisit by campaign_delivery| eval perc= Revisit/distinctRecipients*100 | table campaign_delivery Revisit distinctRecipients perc
0 Karma
Reply
Solved! Jump to solution

skribble5
Explorer
‎12-19-2018 11:12 AM

Thanks Vijeta for coming back to me. I ran this query and I am getting the correct grand total but the revisit number is much larger than expected.

I get the 297 for the grand total but 247 for revisits which is too high. I am expecting around 117.

Any idea why?

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎12-19-2018 11:25 AM

Try dedup user_only before stats command

0 Karma
Reply
Solved! Jump to solution

skribble5
Explorer
‎12-19-2018 11:38 AM

That worked beautifully. Thank you so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...