Archive
Highlighted

Ratio using src_bytes instead of count for two fields

Engager

how can I do a ratio search not based on count, but based on srcbytes (inbound traffic) to get a ratio for two fields. For example, I want to do a ratio of two categories Shopping sites to Search Engine sites, but not by count but by bandwidth (srcbytes).

Tags (3)
0 Karma
Highlighted

Re: Ratio using src_bytes instead of count for two fields

Communicator

You didn't give us a lot to go on.

Assuming that the two record types would have differing sourcetype (which they might not), the following should work:

...your base search search here... | stats sum(src_bytes) AS Size by sourcetype

That would create a sum of the values in src_bytes, using sourcetype as a grouping, over the timeframe of your search. If you have another field differentiating the two categories, you should be able to use that instead of sourcetype.

View solution in original post

0 Karma
Highlighted

Re: Ratio using src_bytes instead of count for two fields

Engager

Here's what i'm trying to do. I'm trying to get a ratio of events within a category, but I'm only concern with two events. One event is in the category IBC. The other events I want to consolidate those into one event in the category, to get a ratio of IBC to Non IBC traffic by srcbytes.
index=proxysg sourcetype=proxysg | stats sum(src
bytes) as MB by category | eval MB=round(MB/1024/1024,2) | category!=IBC Allow* as Non-Ibc, category=IBC Allow as IbC Allow

0 Karma
Highlighted

Re: Ratio using src_bytes instead of count for two fields

Communicator

Is 'category' a field in your raw data, do you have it extracted, or is that piece of the search still pending? Can you provide a few sample records (anonymize the data set as required).

There are likely a few ways to get what you're looking for.

0 Karma
Highlighted

Re: Ratio using src_bytes instead of count for two fields

Engager

Category is an extracted field. This search didn't work for me at all. This is the basic search I started out with manipulating to try to yield some results.

0 Karma
Highlighted

Re: Ratio using src_bytes instead of count for two fields

Communicator

Try:

index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | stats sum(src_bytes) AS Bytes by Category | eval MB=round(Bytes/1024/1024,2)

The ratios may need to be calculated once we've appropriately categorized the data.

0 Karma
Highlighted

Re: Ratio using src_bytes instead of count for two fields

Engager

The results shown was the two Category's IBC, Non-IBC along with Bytes field and MB field.

0 Karma
Highlighted

Re: Ratio using src_bytes instead of count for two fields

Engager

Is it possible to have it setup like this? I'm mainly concern with the layout of the results. The results of this shows a list of bases with the post, gets and the ratio of get/post:
index=proxysg sourcetype=proxysg | stats count(eval(method="POST")) as POST, count(eval(method="GET")) AS GET by base | eval RATIO OF GET/POST=(GET/POST

0 Karma
Highlighted

Re: Ratio using src_bytes instead of count for two fields

Communicator

I don't know what your results look like, so not sure. That said, here's another search which should give you a ratio:

index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | stats sum(eval(round(if(Category="IBC",srcbytes,0)/1024/1024,2))) AS IBCMB, sum(eval(round(if(Category="Non-IBC",srcbytes,0)/1024/1024,2))) AS Non-IBCMB | eval Ratio=IBCMB/Non-IBCMB

0 Karma
Highlighted

Re: Ratio using src_bytes instead of count for two fields

Engager

that GET/POST one I sent you showed results like this:
base POST GET RATIO OF GET/POST
1. base a 9 9 1
2. base b 6 2 0.33
3. base c 2 3 1.50

0 Karma