Solved: Re: help on timechart events after ratio calculati...

jip31 · ‎07-21-2022

hello

I use the search below in order to timechart events on the field "BPE - Evolution du ratio de perte de paquets"

It works fine but is there way to do the same thing easily please?

`index` sourcetype="netproc_tcp" ezc="BPE" 
| fields netproc_tcp_retrans_bytes site 
| bin _time span=30m  
| stats sum(netproc_tcp_retrans_bytes) as "PaquetsPerdusBPE" by _time site 
| search site="$site$" 
| append 
    [| search `index` sourcetype="netproc_tcp" ezc="BPE" 
    | fields netproc_tcp_total_bytes site 
    | bin _time span=30m 
| stats sum(netproc_tcp_total_bytes) as "PaquetsGlobauxBPE" by _time site 
        ] 
| search site="$site$" 
| stats last("PaquetsPerdusBPE") as "BPE - Paquets perdus (bytes)", last("PaquetsGlobauxBPE") as "BPE - Nombre total de paquets (bytes)" by _time site 
| eval "BPE - Evolution du ratio de perte de paquets" = ('BPE - Paquets perdus (bytes)' / 'BPE - Nombre total de paquets (bytes)') * 100 
| fields - "BPE - Paquets VMware perdus (bytes)" "BPE - Nombre total de paquets (bytes)" site

ITWhisperer · ‎07-21-2022

Try this

`index` sourcetype="netproc_tcp" ezc="BPE" 
| fields netproc_tcp_retrans_bytes netproc_tcp_total_bytes site 
| bin _time span=30m  
| stats sum(netproc_tcp_retrans_bytes) as "PaquetsPerdusBPE" sum(netproc_tcp_total_bytes) as "PaquetsGlobauxBPE" by _time site 
| search site="$site$" 
| eval "BPE - Evolution du ratio de perte de paquets" = (PaquetsPerdusBPE / PaquetsGlobauxBPE) * 100 
| fields - PaquetsPerdusBPE PaquetsGlobauxBPE site

View solution in original post

ITWhisperer · ‎07-21-2022

Not sure what the ask is here - what could be easier than using what you already have?

jip31 · ‎07-21-2022

I am just not sure that there is not a better way to do the same job, it's just the sense of my post

ITWhisperer · ‎07-21-2022

Try this

`index` sourcetype="netproc_tcp" ezc="BPE" 
| fields netproc_tcp_retrans_bytes netproc_tcp_total_bytes site 
| bin _time span=30m  
| stats sum(netproc_tcp_retrans_bytes) as "PaquetsPerdusBPE" sum(netproc_tcp_total_bytes) as "PaquetsGlobauxBPE" by _time site 
| search site="$site$" 
| eval "BPE - Evolution du ratio de perte de paquets" = (PaquetsPerdusBPE / PaquetsGlobauxBPE) * 100 
| fields - PaquetsPerdusBPE PaquetsGlobauxBPE site

Help on timechart events after ratio calculation

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?