Splunk Search

Hi I am new to splunk trying to understand splunk query , can you pl explain this query

vijayparthasara
New Member

index=myvmr_main sourcetype="dbinput:solarwindsmyVMRQosQueue" |
eval total_packet=if(match(Stats_Name, "Pre-Policy"), SUM_of_Bytes, null())|
eval packet_drop=if(match(Stats_Name, "Drops"), SUM_of_Bytes, null())|
streamstats window=2 values(total_packet) as total, values(packet_drop) as dropVal by NodeName
|search dropVal > 0|
eval drop_perc=round((dropVal/total)*100,2)|
bin span=30m _time | chart avg(drop_perc) as "Drop %" by NodeName

Tags (1)
0 Karma

mayurr98
Super Champion

Hey @vijayparthasarathy,

index=myvmr_main sourcetype="dbinput:solarwindsmyVMRQosQueue"
Filtering "dbinput:solarwindsmyVMRQosQueue" events from myvmr_main index.

| eval total_packet=if(match(Stats_Name, "Pre-Policy"), SUM_of_Bytes, null())
| eval packet_drop=if(match(Stats_Name, "Drops"), SUM_of_Bytes, null())

Evaluation functions match(SUBJECT, "REGEX") -This function returns TRUE or FALSE based on whether REGEX matches SUBJECT.
have a look at this example for more information.
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/ConditionalFunctions#match.28SUBJE...

| streamstats window=2 values(total_packet) as total, values(packet_drop) as dropVal by NodeName
Streamstats - Adds cumulative summary statistics to all search results in a streaming manner
window - Specifies the number of events to use when computing the statistics
have a look at streamstats doc.

| search dropVal > 0
Filtering results where dropVal > 0

| eval drop_perc=round((dropVal/total)*100,2)*
calculating percentage

| bin span=30m _time
Create a bucket of _time with span of 30m
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Bin

| chart avg(drop_perc) as "Drop %" by NodeName
Calculating average of percentage by nodename.

Well you can see results after each pipe and look at the changes happening .
let me know if this helps!

0 Karma

phifa
New Member

Hi,

eval total_packet=if(match(Stats_Name, "Pre-Policy"), SUM_of_Bytes, null())

You are creating a new field called total_packet. The value of the field is conditioned to the field stats_name.
If the field stats_name is equal to Pre-policy, the values of the new field total_packet will be equal to SUM_of_Bytes and if not it will be null.

eval packet_drop=if(match(Stats_Name, "Drops"), SUM_of_Bytes, null())

You are creating a new field called packet_drop. The value of the field is conditioned to the field stats_name.
If the field stats_name is equal to Drops, the values of the new field total_packet will be equal to SUM_of_Bytes and if not it will be null.

streamstats window=2 values(total_packet) as total, values(packet_drop) as dropVal by NodeName

this command will create two new fields for the last 2 events seen in a streaming manner by nodename.
total which is the values of the new fields total_packet
dropval which is the values of the new fields packet_drop

eg:
Consider the nodename as your clientIP
Consider total_packet as bytes
consider total as ASimpleSumOfBytes
alt text

|search dropVal > 0

You are filtering results with value greater than 0 of the field dropval

eval drop_perc=round((dropVal/total)*100,2)

Calculating the percentage of drop packets and adding the value in a new field called drop_perc.

bin span=30m _time

You are searching of periods of 30 min.
Meaning if you ran this search for the last 4 hours, you will be calculating the above fields per 30 min meaning you will have 8 results. ( 8 * 30min = 4 hours)

| chart avg(drop_perc) as "Drop %" by NodeName

Final result: a chart with the X-axis being the average of the percentage field created above drop_perc and the Y-axis the Nodename.

I had this will help you.

0 Karma

Ahmed67
Engager

Evaluating total packets drop by node name every 30minutes

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...