topic Re: summing two event counts by source in Splunk Search

summing two event counts by source

umplebyj — Wed, 04 Oct 2017 17:05:29 GMT

so, I am trying to parse out syslog stats data, trying to get a velocity of the events to figure out which log source is spiking when backlogs occur.

events: the count of events for a particular source type
src: the individual device sending logs to the syslog server.

as syslog stats don't reset until syslog is hup'd or otherwise restarted taking the list of events isn't specifically helpful.

So what I'm trying to figure out is how to get a velocity of trying to get something like: stats min(events, by source) and compare it to a stats max(events) by src. However I haven't been able to combine this properly.

Output would preferably be a table that has (src, maxevents, minevents, diff)

Re: summing two event counts by source

aholzer — Tue, 29 Sep 2020 16:05:56 GMT

I think what you are looking for is
| stats min(events) as min_events max(events) as max_events by src
| eval diff = max_events - min_events

Hope this helps

Re: summing two event counts by source

umplebyj — Wed, 04 Oct 2017 18:36:52 GMT

Could have sworn I tried something just like this and it somehow took the max of all sources and min of all sources (even though I through in the by source field)

Anyways, thanks this worked.