1

When I search "SearchText1" then lets say there are 20 records.

When I search "SearchText2" then there are 10 results

Then I need to display a single value "2" in the dashboard

How do I formulate the Splunk query?

I tried below query where the numerator count is evaluated correctly but something is wrong with the denominator count related part:

index=something "searchText1" 
| stats count as NumeratorCount 
| eval numerator=NumeratorCount
| append [ | search index=something "searchText2" 
  | stats count as DenominatorCount 
  | eval denominator=DenominatorCount ]
| eval result=round(if(denominator=0,0,numerator/denominator), 2)
| table result
RichG
  • 9,063
  • 2
  • 18
  • 29
firstpostcommenter
  • 2,328
  • 4
  • 30
  • 59

1 Answers1

0

When you remove the table command, you'll see the numerator and denominator are in separate results. The means the eval command computing 'result' is dividing numerator by NULL and NULL by denominator.

The fix is to combine the two rows using appendcols as in this example.

index=_internal "service_health_monitor"  
| stats count as NumeratorCount 
| eval numerator=NumeratorCount
| appendcols [ | search index=_internal "service_health_metrics_monitor"
  | stats count as DenominatorCount 
  | eval denominator=DenominatorCount ]
| eval result=round(if(denominator=0,0,numerator/denominator), 2)
| table result
RichG
  • 9,063
  • 2
  • 18
  • 29