topic Re: How to select only specific events from the search to do stats on? in Splunk Search

How to select only specific events from the search to do stats on?

reachskhm — Thu, 28 Apr 2016 15:41:38 GMT

Need a way to select only specific events from the list of events, so here the example I have a query on iis logs which gives me around say 60000 events so I want to select every 12th event from the the searched 60 events to do stats on those filtered events.

Re: How to select only specific events from the search to do stats on?

sundareshr — Thu, 28 Apr 2016 16:24:02 GMT

Try this
your base search | streamstats window=12 current=t count | where count=12 | stats ...

Re: How to select only specific events from the search to do stats on?

somesoni2 — Thu, 28 Apr 2016 16:31:14 GMT

Try like this

your base search | eval sno=1 | accum sno | where floor(sno/12)=(sno/12) | rest of your search

Re: How to select only specific events from the search to do stats on?

reachskhm — Thu, 28 Apr 2016 17:04:47 GMT

thanks for the resposne , have one more question , how to could store a event count of search so that i can do some arithmetic on it.

Re: How to select only specific events from the search to do stats on?

somesoni2 — Thu, 28 Apr 2016 18:19:09 GMT

Not sure I get it. Do you want to count of total search results in a field so that you can do some calculation (like percentage calculation) on it?

If above is true, you can use eventstats command to add aggregation in a new field, without changing/aggregating the search results.

e.g. This will give you field totalEvents with total events before the filter.

your base search | eval sno=1 | accum sno | eventstats count as totalEvents | where floor(sno/12)=(sno/12) | rest of your search

Re: How to select only specific events from the search to do stats on?

somesoni2 — Thu, 28 Apr 2016 18:19:46 GMT

This will just exclude first 11 events

Re: How to select only specific events from the search to do stats on?

reachskhm — Thu, 28 Apr 2016 18:31:42 GMT

That's similar to what I am looking for, but am facing issue here. In the above thing, I want to decide number 12 by doing math with total events:

your base search | eval sno=1 | accum sno | eventstats count as totalEvents |eval div=totalEvents /5000  |where floor(sno/div)=(sno/div) | rest of your search

but it's not giving me correct results!

Re: How to select only specific events from the search to do stats on?

somesoni2 — Thu, 28 Apr 2016 20:51:22 GMT

Could you explain what exactly is your requirement? You want to take every 12th event for your stats and use the total events (before 12th event filter) and using it for what?

Re: How to select only specific events from the search to do stats on?

reachskhm — Thu, 28 Apr 2016 21:06:53 GMT

Need to get a sample size of 5000 events to calculate mean and Standerddeviation for each day fro last 60 days, so in order to get get a random sample of 5000 events and calculating total events and then div is the floor (totalevents/5000) Then as I get this, I am picking each event based on div (like 12 before).

I am able to get it like this:

your base search | eval sno=1 | accum sno | eventstats count as totalEvents |eval div=floor(totalEvents /5000) |where floor(sno/div)=(sno/div) | head 5000| timechart span=1d  avg(filedx) stddev(filedx)..

Is there anything wrong with this search?