Hello,
I am trying obtain a list of userid's (field) that come up under spamreport (event).
With that list of userid's I would like to do another search to find the number of delivered events for each userid.
The final step is to calculate the percentage of spamreport over the total number of delivered for each userid and sort the table by highest to lowest spam percentage.
Right now I am searching the followng:
sourcetype=json event=delivered [search sourcetype=json event=spamreport (ip=74.63.194.91 OR ip=74.63.194.94) | stats count by userid | eval SPMRPTS=count/2 | table userid] | stats count by userid | eval DLVRD=count | eval PercentSpam=SPMRPTS/DLVRD | table userid, DLVRD, SPMRPTS, PercentSpam
Essentially there is a subsearch to find the userid's with spamreports and to calculate the value of spamreports into the variable SPMRPTS. Then an outer search searches for the total delivered for each userid. However, There is a problem accessing the SPMRPTS variable from the inner subsearch from the context of the outer search. Right now the SPMRPTS and PercentSpam fields are both empty in the table while the DLVRD field displays correctly.
Is there a way to make this subsearch variable accessible to the outside search? Is there another way to structure this so that the two searches happen simultaneously in one splunk query?
Thanks, Andrew
... View more