5

I have two separate splunk queries: 1st Query : Outputs unique user count in last 24 hours 2nd Query : Outputs unique users count in last 24 hours in geo = US

I want to create a timechart that will show , a line chart with % of user everyday from US.

How can this be achieved.

A-D
  • 371
  • 1
  • 9
  • 24

3 Answers3

5

You can join the two queries by using :

|

So your query can look like this:

{firstQuery} as countUS| {secondQuery} as countTotal | eval perc=countUS/countTotal
Pritam Banerjee
  • 17,953
  • 10
  • 93
  • 108
1

You can use a conditional to count those from US

Example query:

index=data | timechart dc(user) as dc_user, dc(eval(if(geo=US,user,NULL))) as us_user | eval perc_us=round(us_user/dc_user*100,2) | table _time, perc_us

Alternatively you can use the SPL join command but that would be less efficient as it would have to read the data twice and join the results.

user2207243
  • 11
  • 2
0

Can you anonymize your data, and show the query here? There's lots of ways to do this in Splunk, but we will need a bit more to go on.

for example

Query: index=myindex sourcetype=mySourcetype | stats count dc(ip) as userTotal | append [ index=myindex sourcetype=mySourcetype region=US | stats dc(ip) as USTotal]
theGlitchKing
  • 87
  • 1
  • 9
  • I was thinking append as well. You should probably say "for example, you could use append:" or something similar so it is obvious what your example is an example of - the reason I suggest this is that the word "append" in the preformatted text doesn't show up on my screen - I have to actually scroll to the right to see it. – Jerry Jeremiah Jun 17 '21 at 23:34