Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Working with loadjob

daktapaal
Path Finder
‎01-31-2014 06:37 PM

Hi, I am hoping you can help me here.
I am running a search out of a saved search using the load job.. I did something like :
|loadjob savedsearch="abc:search:my search"

This produces a table of field cols that look like host1#maxpings , host2#maxpings etc.. Where max pings s the maximum pings that the host can have. Under these columns are the daily pingNumbers for these hosts.
something like :
…...

-………… host1#23…………. host2#56.1

  • day1 ………...3………………………..4
  • day2 ………..10……………………..11
  • day3 ………..20……………………….50

I need to find out if the average pings for 3 days is more than the numbering the column name. for example : in the above, I need to find for column1, (3+10+20)/3 < 23 and for column2 (4+11+50)/3 < 56.1 … I should then show only those columns, where the avg number is less than the number in the column…
i want to pseudocode something like |loadjob savedsearch="abc:search:my search" | stats avg(*) as average(*) | where average < substring-after( col-name,'#') . So that this will show only those columns where the average is less than the number in the column.
I am losing hopes on the help from google and splunk docs. Help with this will be highly appreciated.
Thanks in advance.
dT

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-01-2014 02:26 AM

I've recreated your table like this:

| gentimes start=-1 increment=2h | eval day=1 | accum day | eval day="day".day | eval host0#10=random()%50 | eval host1#20=random()%50 | eval host2#30=random()%50 | eval host3#40=random()%50 | eval host4#50=random()%50 | fields day host*

Based on that, this may be the postprocessing you're looking for:

... | stats avg(*) as * | transpose | rename "row 1" as average column as host | eval limit=replace(host, "^.*?#", "") | where average < limit

Compute averages, transpose and rename results, select part after "#", compare with average.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-01-2014 02:26 AM

I've recreated your table like this:

| gentimes start=-1 increment=2h | eval day=1 | accum day | eval day="day".day | eval host0#10=random()%50 | eval host1#20=random()%50 | eval host2#30=random()%50 | eval host3#40=random()%50 | eval host4#50=random()%50 | fields day host*

Based on that, this may be the postprocessing you're looking for:

... | stats avg(*) as * | transpose | rename "row 1" as average column as host | eval limit=replace(host, "^.*?#", "") | where average < limit

Compute averages, transpose and rename results, select part after "#", compare with average.

0 Karma
Reply
Solved! Jump to solution

Rmddas
New Member
‎02-01-2014 11:07 AM

cool. thanks.I figured this out last night 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...