Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- COMPARE AVERAGE EVERY 30 MINUTES WITH DIFFERENT SO...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have several hosts that send me this type of information:
TIMESTAMP, DOWNLOAD, UPLOAD
with 2 different source one is OPERATOR1 and the other is OPERATOR2
I want to know how many times OPERATOR1 is better than OPERATOR2 considering the average DOWNLOAD in a configurable time span and viceversa.
So for example OPERATOR1 is performing better than OPERATOR2 if in a time span the average download is better than the OPERATOR2 average download in the same time span.
I want to produce a table with:
OPERATOR1,NUMBER_OF_TIMES_BETTER ,PERCENTAGE_OF_TIME_BETTER,TOTAL
OPERATOR2,NUMBER_OF_TIMES_BETTER ,PERCENTAGE_OF_TIME_BETTER,TOTAL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this (assuming source field has the value OPERATOR1 and OPERATOR2)
your base search | timechart span=putYourSpan avg(DOWNLOAD) by source | eval Operator=if(OPERATOR1>OPERATOR2,"OPERATOR1","OPERATOR2") | stats count by Operator
| eventstats sum(count) as Total | eval Percent=round(count*100/Total,2)
| table Operator count Percent Total
Updated
Grouping by host
your base search | bucket span=yourspan _time | eval OPERATOR1=if(source="OPERATOR1",DOWNLOAD,null())| eval OPERATOR2=if(source="OPERATOR2",DOWNLOAD,null())| stats avg(OPERATOR1) as OPERATOR1 avg(OPERATOR2) as OPERATOR1 by _time host | eval Operator=if(OPERATOR1>OPERATOR2,"OPERATOR1","OPERATOR2") | stats count by host Operator
| eventstats sum(count) as Total by host | eval Percent=round(count*100/Total,2)
| table host Operator count Percent Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this (assuming source field has the value OPERATOR1 and OPERATOR2)
your base search | timechart span=putYourSpan avg(DOWNLOAD) by source | eval Operator=if(OPERATOR1>OPERATOR2,"OPERATOR1","OPERATOR2") | stats count by Operator
| eventstats sum(count) as Total | eval Percent=round(count*100/Total,2)
| table Operator count Percent Total
Updated
Grouping by host
your base search | bucket span=yourspan _time | eval OPERATOR1=if(source="OPERATOR1",DOWNLOAD,null())| eval OPERATOR2=if(source="OPERATOR2",DOWNLOAD,null())| stats avg(OPERATOR1) as OPERATOR1 avg(OPERATOR2) as OPERATOR1 by _time host | eval Operator=if(OPERATOR1>OPERATOR2,"OPERATOR1","OPERATOR2") | stats count by host Operator
| eventstats sum(count) as Total by host | eval Percent=round(count*100/Total,2)
| table host Operator count Percent Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's almost what I need...but I can't figure out how to have all the results grouped by host. From the query you suggested I have the total and no host differentiation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the updated answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seem to work. Just a very small type error you renamed the avg(OPERATOR2) as OPERATOR1 instead of OPERATOR2.
I'm testing the query but it seems to be exactly what I was looking for.
OpenTelemetry for Legacy Apps? Yes, You Can!
UCC Framework: Discover Developer Toolkit for Building Technology Add-ons
.conf25 Community Recap
