topic Re: Calculate after stats command in Splunk Search

Calculate after stats command

jariw — Wed, 14 Jul 2021 10:15:44 GMT

L.s.,

I want to get the latency from the input from a forwarder to an index. So whe use the app Meta_woot. It creates an inputlookup file meta-woot. In this file are the latest in-time and host names and index names. So far so good.

Next is to use this file for calculating if a host is late or recent or delayed. Those searches are in the app and works fine. But i want a little extension, i want a table with the indexes as leading, and then calculate (by index) the percentage recent/late host, and sum it a one outcome (per index)

So far the theory, now my tries. I used below serach.

| inputlookup meta_woot where index=*
| eval convert_late=(1440*60)
| eval convert_delayed=(60*60)
| eval last_time=(now()-recentTime)
| eval last_time_indexed=case(last_time < convert_delayed, "Recent", last_time > convert_late, "Late", last_time > convert_delayed, "Delayed")
| eval compliant_host=if(last_time_indexed="Recent", "1","0")
| stats count(compliant_host) as chost by index, compliant_host

This gives me a result where the outcome has split into indexname vs compliant_host and chost

index compliant_host chost

main	0	11
main	1	123
msad	1	6
nmon	1	5
openshift	1	1
temp_log	1	1
wineventlog	1	2

Now the question, how do i calculate the percentage for index main ( (123+11)/11) so i get an percentage value. How do i calculate with values after a stats command??

Pls help

Thanx in advance

greetz

Jari

Re: Calculate after stats command

kamlesh_vaghela — Wed, 14 Jul 2021 16:51:21 GMT

@jariw

Are you looking for this?

Re: Calculate after stats command

jariw — Thu, 15 Jul 2021 06:42:43 GMT

Hi KV,

Thanx for the answer. it give me some clues to work with. The only (and i think diffiuct thing) is that i want to group the results from the "main" and calculate between those two.

"main"has two type's ,

one with the compliant_host with value 0, and total 11

one with the compliant_host with value 1, and total 123

I want tot calculate between those two.. ((123+11)/11)*100 for the (total amount in main/11)*100

I think the hardest problem is the grouping off the "main" en then calculate witth it.

grts

Jari

Re: Calculate after stats command

kamlesh_vaghela — Thu, 15 Jul 2021 08:33:50 GMT

@jariw

Can you please try this?

| makeresults | eval _raw="index,compliant_host,chost main,0,11 main,1,123 msad,1,6 nmon,1,5 openshift,1,1 temp_log,1,1 wineventlog,1,2" | multikv forceheader=1 | table index,compliant_host,chost | stats sum(chost) as total list(chost) as chost by index | eval chost=mvindex(chost,0) | eval percentage=round((total/chost)*100,2)

Re: Calculate after stats command

jariw — Tue, 20 Jul 2021 06:56:05 GMT

Hi KV,

Sorry for the late answer, i had a free long weekend.

I think i see it now. I don't have to group it indeed, just get the one's with value "0" for the complian_host. If that one is above 33 % then i want a warning.

I think i can write this one 🙂

thanks foor the help.

grts

Jari