Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display the ratio of the sum of two fields?

ruhtraeel
Path Finder
‎10-16-2019 03:02 PM

Hello,
My data looks like this:

urlupdateid=4, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=T, EffectiveDate_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy

urlupdateid=3, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=F, EffectiveDate_correct=F, total_datetypes_correct=0, total_dates_correct=0, total_datetypes=1
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy

urlupdateid=2, urlid=1, payer=Aetna, ReviewDate_datetype_correct=T, ReviewDate_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy

urlupdateid=1, urlid=1, payer=Aetna, PublicationDate_datetype_correct=T, PublicationDate_correct=T, ReviewDate_datetype_correct=T, ReviewDate_correct=T, total_datetypes_correct=2, total_dates_correct=2, total_datetypes=2
host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy

I want to show the result of the sum of total_datetypes_correct for each row / total_datetypes for each row in a dashboard.

I tried this search query, but it says "Error in 'stats' command: The argument '(TOTAL_CORRECT)' is invalid.":

source="PCDAccuracy2.txt" host="Arthurs-MacBook-Pro.local" sourcetype="PCDAccuracy"| stats sum(total_datetypes_correct) as TOTAL_CORRECT values(total_datetypes) as total_datetypes | stats sum(total_datetypes) as TOTAL values (TOTAL_CORRECT) | eval total = TOTAL_CORRECT / TOTAL | table total_accuracy total

What am I doing wrong?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ruhtraeel
Path Finder
‎10-16-2019 03:39 PM

Figured it out. I did this:

source="PCDAccuracy2.txt" host="Arthurs-MacBook-Pro.local" sourcetype="PCDAccuracy"| eventstats sum(total_dates_correct) as TOTAL_CORRECT | eventstats sum(total_datetypes) as TOTAL | eval total = TOTAL_CORRECT / TOTAL

View solution in original post

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎10-16-2019 04:22 PM

is this what you are trying to achieve?

| makeresults count=1
| eval data = "urlupdateid=4, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=T, EffectiveDate_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1 host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy;;;urlupdateid=3, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=F, EffectiveDate_correct=F, total_datetypes_correct=0, total_dates_correct=0, total_datetypes=1 host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy;;;urlupdateid=2, urlid=1, payer=Aetna, ReviewDate_datetype_correct=T, ReviewDate_correct=F, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1 host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy;;;urlupdateid=1, urlid=1, payer=Aetna, PublicationDate_datetype_correct=T, PublicationDate_correct=T, ReviewDate_datetype_correct=T, ReviewDate_correct=T, total_datetypes_correct=2, total_dates_correct=2, total_datetypes=2 host = Arthurs-MacBook-Pro.localsource = PCDAccuracy2.txtsourcetype = PCDAccuracy"
 | makemv delim=";;;" data
 | mvexpand data
 | eval _raw = data
 | table _raw
 | extract kvdelim="=" pairdelim=", "
 | rename COMMENT as "the above generates data below is the solution" 
 | table total_datetypes_correct total_datetypes
 | eval ratio = round(total_datetypes_correct / total_datetypes, 2)
0 Karma
Reply
Solved! Jump to solution

ruhtraeel
Path Finder
‎10-16-2019 04:57 PM

Not quite; I needed to add all the total_datetypes_correct values together for every event, as well as all the total_datetypes values together for every event, then calculate the ratio from that, rather than calculate the ratio for each event individually.

0 Karma
Reply
Solved! Jump to solution
Solution

ruhtraeel
Path Finder
‎10-16-2019 03:39 PM

Figured it out. I did this:

source="PCDAccuracy2.txt" host="Arthurs-MacBook-Pro.local" sourcetype="PCDAccuracy"| eventstats sum(total_dates_correct) as TOTAL_CORRECT | eventstats sum(total_datetypes) as TOTAL | eval total = TOTAL_CORRECT / TOTAL

0 Karma
Reply
Solved! Jump to solution

ruhtraeel
Path Finder
‎10-16-2019 03:10 PM

I would assume it's because the total_datetypes field no longer exists after the first "stats" command. How would I keep the previous fields?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...