Archive

Hi I am new to splunk trying to understand splunk query , can you pl explain this query

New Member

index=myvmrmain sourcetype="dbinput:solarwindsmyVMRQosQueue" |
eval total
packet=if(match(StatsName, "Pre-Policy"), SUMofBytes, null())|
eval packet
drop=if(match(StatsName, "Drops"), SUMofBytes, null())|
streamstats window=2 values(total
packet) as total, values(packetdrop) as dropVal by NodeName
|search dropVal > 0|
eval drop
perc=round((dropVal/total)*100,2)|
bin span=30m time | chart avg(dropperc) as "Drop %" by NodeName

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

Hey @vijayparthasarathy,

index=myvmr_main sourcetype="dbinput:solarwindsmyVMRQosQueue"
Filtering "dbinput:solarwindsmyVMRQosQueue" events from myvmr_main index.

| eval totalpacket=if(match(StatsName, "Pre-Policy"), SUMofBytes, null())
| eval packetdrop=if(match(StatsName, "Drops"), SUMofBytes, null())

Evaluation functions match(SUBJECT, "REGEX") -This function returns TRUE or FALSE based on whether REGEX matches SUBJECT.
have a look at this example for more information.
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/ConditionalFunctions#match.28SUBJE...

| streamstats window=2 values(totalpacket) as total, values(packetdrop) as dropVal by NodeName
Streamstats - Adds cumulative summary statistics to all search results in a streaming manner
window - Specifies the number of events to use when computing the statistics
have a look at streamstats doc.

| search dropVal > 0
Filtering results where dropVal > 0

| eval drop_perc=round((dropVal/total)*100,2)*
calculating percentage

| bin span=30m _time
Create a bucket of _time with span of 30m
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Bin

| chart avg(drop_perc) as "Drop %" by NodeName
Calculating average of percentage by nodename.

Well you can see results after each pipe and look at the changes happening .
let me know if this helps!

0 Karma

New Member

Hi,

eval totalpacket=if(match(StatsName, "Pre-Policy"), SUMofBytes, null())

You are creating a new field called totalpacket. The value of the field is conditioned to the field statsname.
If the field statsname is equal to Pre-policy, the values of the new field totalpacket will be equal to SUMofBytes and if not it will be null.

eval packetdrop=if(match(StatsName, "Drops"), SUMofBytes, null())

You are creating a new field called packetdrop. The value of the field is conditioned to the field statsname.
If the field statsname is equal to Drops, the values of the new field totalpacket will be equal to SUMofBytes and if not it will be null.

streamstats window=2 values(totalpacket) as total, values(packetdrop) as dropVal by NodeName

this command will create two new fields for the last 2 events seen in a streaming manner by nodename.
total which is the values of the new fields totalpacket
dropval which is the values of the new fields packet
drop

eg:
Consider the nodename as your clientIP
Consider total_packet as bytes
consider total as ASimpleSumOfBytes
alt text

|search dropVal > 0

You are filtering results with value greater than 0 of the field dropval

eval drop_perc=round((dropVal/total)100,2)*

Calculating the percentage of drop packets and adding the value in a new field called drop_perc.

bin span=30m _time

You are searching of periods of 30 min.
Meaning if you ran this search for the last 4 hours, you will be calculating the above fields per 30 min meaning you will have 8 results. ( 8 * 30min = 4 hours)

| chart avg(drop_perc) as "Drop %" by NodeName

Final result: a chart with the X-axis being the average of the percentage field created above drop_perc and the Y-axis the Nodename.

I had this will help you.

0 Karma

Engager

Evaluating total packets drop by node name every 30minutes

0 Karma