Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass values to head command at run time?

Taruchit
Contributor
‎09-22-2023 02:47 AM

Hello All,

I need your help for using head command by passing the parameters at run time.

The background of the above is as follows: -

I am working on building a SPL to identify anomalous events in time series dataset.

I fetched average of the count of all events each hour and then compared with moving average to identify the datapoints and time instances when the average count of events during an hour were significantly greater than moving average at that point of time.

To understand the term "significantly greater", I computed the difference between average count of events for a day and the moving average up to the day and determine the percentage of difference with respect to moving average.

The observations varied across different datasets. That is for dataset 1, out of all events, 10% of the events had percentage of difference>=90%. However, for dataset 2, out of all events, 20% of the events had percentage of difference>=90%.

Thus, I decided to sort the results in descending order of percentage of difference and fetched first 10% of the total events by using head command.

Since the count of events returned varies for each dataset, how to compute and fetch 10% of events when the dataset is sorted in descending order based on percentage of difference?

Please share if I need to clarify or share any more details to articulate the above query better.

Thank you
Taruchit

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-22-2023 04:15 AM 
| streamstats count as row
| eventstats max(row) as total
| eval cuttoff=total/10
| where row <= cuttoff

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-22-2023 04:15 AM 
| streamstats count as row
| eventstats max(row) as total
| eval cuttoff=total/10
| where row <= cuttoff
Reply
Solved! Jump to solution

Taruchit
Contributor
‎09-22-2023 04:46 AM

Hi @ITWhisperer 

Thank you very much for your prompt help.

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...