Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help on timechart events after ratio calculation

jip31
Motivator
‎07-21-2022 03:54 AM

hello

I use the search below in order to timechart events on the field "BPE - Evolution du ratio de perte de paquets"

It works fine but is there way to do the same thing easily please?

 

 

`index` sourcetype="netproc_tcp" ezc="BPE" 
| fields netproc_tcp_retrans_bytes site 
| bin _time span=30m  
| stats sum(netproc_tcp_retrans_bytes) as "PaquetsPerdusBPE" by _time site 
| search site="$site$" 
| append 
    [| search `index` sourcetype="netproc_tcp" ezc="BPE" 
    | fields netproc_tcp_total_bytes site 
    | bin _time span=30m 
| stats sum(netproc_tcp_total_bytes) as "PaquetsGlobauxBPE" by _time site 
        ] 
| search site="$site$" 
| stats last("PaquetsPerdusBPE") as "BPE - Paquets perdus (bytes)", last("PaquetsGlobauxBPE") as "BPE - Nombre total de paquets (bytes)" by _time site 
| eval "BPE - Evolution du ratio de perte de paquets" = ('BPE - Paquets perdus (bytes)' / 'BPE - Nombre total de paquets (bytes)') * 100 
| fields - "BPE - Paquets VMware perdus (bytes)" "BPE - Nombre total de paquets (bytes)" site

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2022 04:51 AM

Try this

`index` sourcetype="netproc_tcp" ezc="BPE" 
| fields netproc_tcp_retrans_bytes netproc_tcp_total_bytes site 
| bin _time span=30m  
| stats sum(netproc_tcp_retrans_bytes) as "PaquetsPerdusBPE" sum(netproc_tcp_total_bytes) as "PaquetsGlobauxBPE" by _time site 
| search site="$site$" 
| eval "BPE - Evolution du ratio de perte de paquets" = (PaquetsPerdusBPE / PaquetsGlobauxBPE) * 100 
| fields - PaquetsPerdusBPE PaquetsGlobauxBPE site

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2022 04:10 AM

Not sure what the ask is here - what could be easier than using what you already have?

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-21-2022 04:40 AM

I am just not sure that there is not a better way to do the same job, it's just the sense of my post

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2022 04:51 AM

Try this

`index` sourcetype="netproc_tcp" ezc="BPE" 
| fields netproc_tcp_retrans_bytes netproc_tcp_total_bytes site 
| bin _time span=30m  
| stats sum(netproc_tcp_retrans_bytes) as "PaquetsPerdusBPE" sum(netproc_tcp_total_bytes) as "PaquetsGlobauxBPE" by _time site 
| search site="$site$" 
| eval "BPE - Evolution du ratio de perte de paquets" = (PaquetsPerdusBPE / PaquetsGlobauxBPE) * 100 
| fields - PaquetsPerdusBPE PaquetsGlobauxBPE site
0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...