Splunk Enterprise

Help on timechart events after ratio calculation

jip31
Motivator

hello

I use the search below in order to timechart events on the field "BPE - Evolution du ratio de perte de paquets"

It works fine but is there way to do the same thing easily please?

 

 

`index` sourcetype="netproc_tcp" ezc="BPE" 
| fields netproc_tcp_retrans_bytes site 
| bin _time span=30m  
| stats sum(netproc_tcp_retrans_bytes) as "PaquetsPerdusBPE" by _time site 
| search site="$site$" 
| append 
    [| search `index` sourcetype="netproc_tcp" ezc="BPE" 
    | fields netproc_tcp_total_bytes site 
    | bin _time span=30m 
| stats sum(netproc_tcp_total_bytes) as "PaquetsGlobauxBPE" by _time site 
        ] 
| search site="$site$" 
| stats last("PaquetsPerdusBPE") as "BPE - Paquets perdus (bytes)", last("PaquetsGlobauxBPE") as "BPE - Nombre total de paquets (bytes)" by _time site 
| eval "BPE - Evolution du ratio de perte de paquets" = ('BPE - Paquets perdus (bytes)' / 'BPE - Nombre total de paquets (bytes)') * 100 
| fields - "BPE - Paquets VMware perdus (bytes)" "BPE - Nombre total de paquets (bytes)" site

 

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try this

`index` sourcetype="netproc_tcp" ezc="BPE" 
| fields netproc_tcp_retrans_bytes netproc_tcp_total_bytes site 
| bin _time span=30m  
| stats sum(netproc_tcp_retrans_bytes) as "PaquetsPerdusBPE" sum(netproc_tcp_total_bytes) as "PaquetsGlobauxBPE" by _time site 
| search site="$site$" 
| eval "BPE - Evolution du ratio de perte de paquets" = (PaquetsPerdusBPE / PaquetsGlobauxBPE) * 100 
| fields - PaquetsPerdusBPE PaquetsGlobauxBPE site

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Not sure what the ask is here - what could be easier than using what you already have?

0 Karma

jip31
Motivator

I am just not sure that there is not a better way to do the same job, it's just the sense of my post

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

`index` sourcetype="netproc_tcp" ezc="BPE" 
| fields netproc_tcp_retrans_bytes netproc_tcp_total_bytes site 
| bin _time span=30m  
| stats sum(netproc_tcp_retrans_bytes) as "PaquetsPerdusBPE" sum(netproc_tcp_total_bytes) as "PaquetsGlobauxBPE" by _time site 
| search site="$site$" 
| eval "BPE - Evolution du ratio de perte de paquets" = (PaquetsPerdusBPE / PaquetsGlobauxBPE) * 100 
| fields - PaquetsPerdusBPE PaquetsGlobauxBPE site
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...