https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208005#M60629 <P>Sure.. it's <A href="mailto:somesh.soni@gmail.com">somesh.soni@gmail.com</A></P> Wed, 09 Sep 2015 18:39:58 GMT somesoni2 2015-09-09T18:39:58Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/207996#M60620 <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/635i04B27D06EBD3A6DA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> 1) In the picture attached, I want to display the values &gt;300 as good and less than 300 as bad</P> <P>2) The other part is to calculate the avg of each row (i.e. (calgary+leatherhead+Melbourne)/3) and display a new column with the avg of those, and if the value is &gt;350 it is good and less than 350 as bad</P> Wed, 09 Sep 2015 14:34:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/207996#M60620 vrmandadi 2015-09-09T14:34:03Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/207997#M60621 <P>There is no picture attached. Perhaps you could cut-and-paste the search query. Highlight the text of the search query, then use the <CODE>101010</CODE> icon to format it as "code" and it will look fine.</P> Wed, 09 Sep 2015 17:54:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/207997#M60621 lguinn2 2015-09-09T17:54:29Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/207998#M60622 <P>can you see the pic now</P> Wed, 09 Sep 2015 17:56:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/207998#M60622 vrmandadi 2015-09-09T17:56:03Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/207999#M60623 <P>What you want to show as in good OR bad? Can you provide sample output you expect?</P> Wed, 09 Sep 2015 18:05:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/207999#M60623 somesoni2 2015-09-09T18:05:33Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208000#M60624 <P>if the avg of three fields calgary+leatherhead+Melbourne/3 is greater than 300 then the avg value should be displayed and it should fall in good category for example<BR /> _time calgary houston<BR /> 2015-09-08 10 20<BR /><BR /> melbourne average status<BR /> 30 20 good</P> <P>the average of 10+20+30/3=20 <BR /> since its avg is greater than 10 it is good or else it should be bad</P> Wed, 09 Sep 2015 18:16:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208000#M60624 vrmandadi 2015-09-09T18:16:14Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208001#M60625 <P>One final question, will it be ok for your to fix the span of timechart??</P> Wed, 09 Sep 2015 18:25:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208001#M60625 somesoni2 2015-09-09T18:25:29Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208002#M60626 <P>ya so is there anything to do with that</P> Wed, 09 Sep 2015 18:27:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208002#M60626 vrmandadi 2015-09-09T18:27:51Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208003#M60627 <P>Hi somesh if you dont mind can i have your email id..i have seen you have almost 3 yrs exp in splunk as a dev and admin</P> Wed, 09 Sep 2015 18:31:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208003#M60627 vrmandadi 2015-09-09T18:31:39Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208004#M60628 <P>Try something like this (fixed the timechart span to 30 mins in bucket/timechart command)</P> <PRE><CODE>index=pams ..rest of base search host="ups... rest of host filter | eval duration=(2048/duration)*1000 | bucket span=30m _time | stats avg(duration) as duration by _time hostname | eval sitecode=substr(upper(hostname),1,3) | lookup app_utc_site_lat_long.csv sitecode OUTPUTNEW site | table _time site duration | appendpipe [| stats avg(duration) as duration by _time | eval site="TotalAvg"] | timechart span=30m avg(duration) as duration by site | eval category=if(TotalAvg&gt;300,"Good","Bad") </CODE></PRE> Wed, 09 Sep 2015 18:39:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208004#M60628 somesoni2 2015-09-09T18:39:30Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208005#M60629 <P>Sure.. it's <A href="mailto:somesh.soni@gmail.com">somesh.soni@gmail.com</A></P> Wed, 09 Sep 2015 18:39:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208005#M60629 somesoni2 2015-09-09T18:39:58Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208006#M60630 <P>Like this:</P> <PRE><CODE>index=pams sourcetype=transaction transaction_status=Success transaction="PAMS 2GiB Read" (host=ups6z4420yh24* OR host=ldn6z442166w6* OR host=cal6z442804vy* OR host=esh6z4419fvaj*) earliest=-1d@d latest=now | eval duration=2048000/duration | eval sitecode=substr(upper(hostname),1,3) | loookup app_utc_site_lat_long.csv sitecode OUTPUTNEW site | timechart avg(duration) by site | addtotals row=t | eval cols=-2 | foreach * [eval cols=cols+1] | eval AllSiteAvg=Total/cols | fields - Total cols | foreach * [eval &lt;&lt;FIELD&gt;&gt;_status = if((&lt;&lt;FIELD&gt;&gt; &gt; 300), "GOOD", "BAD")] | fields - _time_status </CODE></PRE> Wed, 09 Sep 2015 18:49:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208006#M60630 woodcock 2015-09-09T18:49:22Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208007#M60631 <P>thank you so much guys</P> Wed, 09 Sep 2015 19:42:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208007#M60631 vrmandadi 2015-09-09T19:42:40Z https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208008#M60632 <P>Be sure to close out the question by pickimg the answer that you like the best and clicking "Accept".</P> Thu, 10 Sep 2015 13:28:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-categorize-search-results-as-quot-good-quot-or-quot-bad/m-p/208008#M60632 woodcock 2015-09-10T13:28:29Z