Hi Base,
I tried to calculate a ratio of the occurrence of a value in a field. F.e. the field is Rvals and the values are 1,3,4,4,3,10,5,8,9,10.
I want to calculate the occurrence of “4” so my approach is first get the total:
…Rvals=* | stats count as r01
Now I need the amount of 4. So I thought append is (maybe) a good idea:
…Rvals=* | stats count as r01 | append [search Rvals=4 | stats count as r02]
That produce 10 (r01) and 2 (r02) and then calculate:
…Rvals=* | stats count as r01 | append [search Rvals=4 | stats count as r02] | eval r=(r02 * 100)/r01
And now the surprise: r is empty. For a short control:
…Rvals=* | stats count as r01 | append [search Rvals=4 | stats count as r02] | eval
r=(r02*100)/r01 | stats values(r01),values(r02),values(r)
I got results for r01,r02 but r shows no results. The question is why?
One more: I do not looking for an alternative way. I want to know why splunk cannot calculate the result of count?
Thanks!