topic Re: How to aggregate the results based on the results of the transforming command? in Splunk Search

How to aggregate the results based on the results of the transforming command?

bollam — Tue, 29 Sep 2020 22:16:33 GMT

I'm trying to calculate the percentage of resources that are consumed by a job based on the start time of the job.
Each job has more than one event and startTime could vary in the events. So I'm considering the earliest start time of the job.
Using eventstats is not producing the events which im looking at.

stats earliest(start_time) as start_time by job, If this is replaced in the place of eventstats im getting the results what I want.

Can someone assist me on this?

index=main 
| search trainId=acggalladks"
| eventstats earliest(start_time) as start_time by job
| stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job
| eval pct = round((MB/total_cpu)*100, 2)
| table pct job

Re: How to aggregate the results based on the results of the transforming command?

whrg — Tue, 29 Sep 2020 22:14:37 GMT

Just to clarify: Let us assume your events are (please add any missing fields):
job,start_time,cpu
Job A, 6am, 25
Job A, 7am, 35
Job A, 8am, 30
Job B, 8am, 10
Then what output do you want from the search?
And how do you calculate total_cpu?

Re: How to aggregate the results based on the results of the transforming command?

bollam — Tue, 29 Sep 2020 22:16:59 GMT

The total_cpu is the common for all the events.

I'm adding another row for job B which is job B 6am
I want output to be as below.
Job A, 6am, 25 pct_value
job B, 6am, 10 pct_value

Re: How to aggregate the results based on the results of the transforming command?

bollam — Tue, 29 Sep 2020 22:17:01 GMT

I tried this query and it's giving me the output what im looking at. But is it possible to get the output without join command?

Re: How to aggregate the results based on the results of the transforming command?

nagarjuna280 — Tue, 29 Sep 2020 22:15:26 GMT

remove join and see you get the same results (why you are using join),

try this, I think you are expecting below the search
index=main
| search trainId=acggalladks"
| stats earliest(cpu) as total_cpu sum(cpu) as MB by job
| eval pct = round((MB/total_cpu)*100, 2)
| table pct job

Re: How to aggregate the results based on the results of the transforming command?

bollam — Tue, 29 Sep 2020 22:17:04 GMT

index=main
| search trainId="somevalue"
| stats earliest(start_time) as start_time by job

Whatever the output that returns by the field start_time from the above search need to be used in the by clause for the below query.

index=main
| search trainId="somevalue"
stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job
| eval pct = round((MB/total_cpu)*100, 2)
| table start_time pct job

Re: How to aggregate the results based on the results of the transforming command?

nagarjuna280 — Tue, 04 Dec 2018 07:23:34 GMT

use map command

Re: How to aggregate the results based on the results of the transforming command?

whrg — Tue, 29 Sep 2020 22:15:40 GMT

How about:
index=main
| ...
| stats earliest(cpu) as total_cpu earliest(start_time) as start_time sum(cpu) as MB by job
| eval pct = ...

Re: How to aggregate the results based on the results of the transforming command?

bollam — Tue, 29 Sep 2020 22:17:07 GMT

@whrg, That way it won't work because i want the values of the start_time to be used in the by clause.
I got it solved without join but looking for an optimal way.