Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Archive

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

robertlynch2020

Motivator

12-05-2017
06:47 AM

Hi

I have a Maths problem that i am hoping Splunk has a function for.

It is in relation to calculation the % of time code is running out of a Total.

**So Example one - The easy example**

The Parent method takes 10 seconds [From 0 -10]

A Clild method takes 5 seconds. From 2-7

The child method is 50% of the Calculation

**Example 2 - a bit more difficult**

The Parent method takes 10 seconds [From 0 -10]

A child method is called twice from 0-2 and 4-6 so in total 4 seconds => 40%

**Example 3 _ In Parallel**

The Parent method takes 10 seconds [From 0 -10]

A child method is called 4 time in parallel overlapping can happen

0-5

2-5

6-7

6-9

So if i sum the time i get 0-5 =5, 2-5 =3, 6-7=1 6-9 =2 Total = 11 = > 110% [This is the issues, the real answer is 80%. As there is nothing running between 5-6 and 9-10].

So i have 2 vectors with start and stop of all these child method, and i would love if Splunk has a math function that would give me Total time the children was running i.e 8 and i will supplay 10 so i can get 80%

All help on this is welcomed.

Thanks

Robert Lynch

1 Solution

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Maths problem that i am hoping Splunk has a function for

somesoni2

SplunkTrust

12-05-2017
08:07 AM

Were you able to achieve the result using SPL?

Highlighted
##

| eval message="Happy Splunking!!!"

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Maths problem that i am hoping Splunk has a function for

niketnilay

Legend

12-05-2017
05:53 PM

@robertlynch2020, what does your current events, fields and query look like?

| eval message="Happy Splunking!!!"

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Maths problem that i am hoping Splunk has a function for

robertlynch2020

Motivator

12-06-2017
08:38 AM

| tstats summariesonly=true avg(All*TPS*Logs.duration) AS average

FROM datamodel=MLC*TPS*DEBUG4

WHERE (nodename=All*TPS*Logs

host=TALANX*PROD*1-rlynch-prod*splunk*20171204 )

NOT All*TPS*Logs.overflow=true

GROUPBY All*TPS*Logs.fullyQualifiedMethod All*TPS*Logs.startTime All*TPS*Logs.endTime | fields - average

OUTPUT

murex.apps.business.server.compliance.am.home.DefaultAssetMgmtComplianceAdministrationServiceSession#actuallyCheck 1512382324411 1512382324553

murex.apps.business.server.compliance.am.home.DefaultAssetMgmtComplianceAdministrationServiceSession#associate 1512382323324 1512382323324

murex.apps.business.server.compliance.am.home.DefaultAssetMgmtComplianceAdministrationServiceSession#buildSourceEventsOffRisksAndPropagateToDepedents 1512382323733 1512382324411

murex.apps.business.server.compliance.am.home.DefaultAssetMgmtComplianceAdministrationServiceSession#collectSourceEvents 1512382324411 1512382324485

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Maths problem that i am hoping Splunk has a function for

robertlynch2020

Motivator

12-06-2017
08:39 AM

So i get 3 fields

1) method.class

2) start (epoc to the millisecond)

3) stop (epoc to the millisecond)

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

DalJeanis

SplunkTrust

12-06-2017
02:34 PM

It's not a simple "function", but it's also not hard to do.

You are going to have to stitch together the parent and child events. Use the methods in one of these posts to calculate which points in time overlap and which there are no children running.

https://answers.splunk.com/answers/513002/how-to-graph-sum-of-overlapping-values-given-start.html#an...

https://answers.splunk.com/answers/565112/suggestions-for-charting-backlogs-by-month.html

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Maths problem that i am hoping Splunk has a function for

robertlynch2020

Motivator

12-18-2017
01:41 AM

Thanks for this, it took a bit of time but i got this in the end.

```
| tstats summariesonly=true values(All_TPS_Logs.duration) AS average, count(All_TPS_Logs.duration) AS count2
FROM datamodel=MLC_TPS_DEBUG4
WHERE (nodename=All_TPS_Logs host=TALANX-SLOW_LIMITPREVIEW_INT-2017-12-14_19_20_26-archive )
GROUPBY All_TPS_Logs.fullyQualifiedMethod All_TPS_Logs.startTime All_TPS_Logs.endTime All_TPS_Logs.duration
| sort All_TPS_Logs.fullyQualifiedMethod -1 All_TPS_Logs.startTime - All_TPS_Logs.duration
| streamstats max(All_TPS_Logs.fullyQualifiedMethod) as fullyQualifiedMethod_previous current=false
| streamstats max(All_TPS_Logs.endTime) as endTime_previous current=false reset_before="($All_TPS_Logs.fullyQualifiedMethod$!=$fullyQualifiedMethod_previous$)"
| streamstats sum(All_TPS_Logs.duration) as Duration_p reset_before="($All_TPS_Logs.fullyQualifiedMethod$!=$fullyQualifiedMethod_previous$)"
| eval s_duration_add = if($endTime_previous$!="*",if($endTime_previous$>$All_TPS_Logs.endTime$ , 0 ,if($All_TPS_Logs.startTime$ > $endTime_previous$,$All_TPS_Logs.duration$,$All_TPS_Logs.endTime$ - $endTime_previous$)),$All_TPS_Logs.duration$)
| streamstats sum(s_duration_add) as Duration_s reset_before="($All_TPS_Logs.fullyQualifiedMethod$!=$fullyQualifiedMethod_previous$)"
| table All_TPS_Logs.fullyQualifiedMethod All_TPS_Logs.startTime All_TPS_Logs.endTime endTime_previous fullyQualifiedMethod_previous All_TPS_Logs.duration s_duration_add Duration_p Duration_s | stats max(Duration_s) as Duration_s max(Duration_p) as Duration_p avg(All_TPS_Logs.duration) as average count(All_TPS_Logs.duration) AS count, stdev(All_TPS_Logs.duration) AS stdev, median(All_TPS_Logs.duration) AS median, exactperc95(All_TPS_Logs.duration) AS perc95, exactperc99.5(All_TPS_Logs.duration) AS perc99.5, min(All_TPS_Logs.duration) AS min, max(All_TPS_Logs.duration) AS max by All_TPS_Logs.fullyQualifiedMethod | eval Time_Sequential=Duration_s/((1513274889.932 - 1513274878.77)*10) | eval Parall_vs_Sequential=Duration_p/Duration_s | sort - Duration_s | Table All_TPS_Logs.fullyQualifiedMethod Time_Sequential Duration_s Parall_vs_Sequential Duration_p average count stdev median perc95 perc99.5 min max
```