finding the ratio of aggregated result?

Follow

Hatoon Almoajel

• June 27, 2019 16:38
• Edited

so I need to filter the result by using count_distinct(jname) because "jname" is not unique 

 

my issue ... is that I need to get the ratio of user1 to user2 count  

 

(_source=service.service.logs _collector=application.production)
| json auto
| where %"event.headers.app-id" != null and role = "user1" or role = "user2"
| timeslice 15m
| count_distinct(jname) as cnt by _timeslice, role 
| transpose row _timeslice column role

 

output:

#	Time                                                       user1		user2
1	06/27/2019 9:00:00 AM -0700	1	7
2	06/27/2019 9:15:00 AM -0700	3	7

1

• 

  Hatoon Almoajel

  • June 27, 2019 17:24

  so what I'm trying to do is generate a ratio field like so:

  #Time                                                       user1    user2              users_ratio

  106/27/2019 9:00:00 AM -0700 .              1             7                    1/7

  7206/27/2019 9:15:00 AM -0700              3            7                       3/7

  1

  Comment actions Permalink
• 

  Matt Wilson

  • July 20, 2021 16:20
  • Edited

  This answer may help?
  
  https://support.sumologic.com/hc/en-us/community/posts/4404270963351-Do-math-on-two-count-distinct-results

  0

  Comment actions Permalink

Please sign in to leave a comment.