Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to use Eval with Stats

therealjosh
Observer
3 weeks ago

Hello I am new to Splunk and I am hoping someone will be able to help me out with a problem.

I am creating a Heatmap and the values isnt dynamic enough. Like I want the values of the heat graph to be calculated based on the total amount(Whatever I am counting)/7(number of days)*.5. For example, the total amount of a certain week is 700 which means the calculation to the above equation is 50. If the source in question is below 50 then it would be red, above that would be yellow and what ever I made for green. How can I calculate that when I have multiple sources being used. If this doesnt make sense I can provide some data. Thank you in advance for your time and help.

Labels (1)
Labels
0 Karma
Reply

livehybrid
Super Champion
3 weeks ago

Hi @therealjosh 

Try something like in the below SPL example, although if you have more info and sample logs or your existing search then this would help us tailor the response further 🙂

| makeresults count=14
| eval _time=relative_time(now(), "-" . (ceil(random()%7)) . "d")
| eval source=if(random()%2==0, "A", "B")
| eval value=round(random()%200)
| bin _time span=1d
| stats sum(value) as total by source _time
| eventstats sum(total) as week_total
| eval threshold=(week_total/7)*0.5
| eval color=case(total < threshold, "red", total < threshold*2, "yellow", 1=1, "green")

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

therealjosh
Observer
3 weeks ago

Hey @livehybrid! Thank you for taking a look at my question. I tried this way and it combines everything (meaning through different sources). I want to keep the sources separate. I replied with a little more information in another reply but I will also put it here. Here is my original query. 
index=Basketball
| timechart span=1d count by players limit=100

For more information I am counting something that the players did. In the players sources there is about 50 people. When I say I want it individualize, I dont want the total of Player One which is 100 to affect Player Two who has 300. In your query it combines it and the first threshold would be 28.57 VS the two players would have different thresholds. To continue on with the sample data that I presented Player One would have the first threshold be 7.142 and Player two would have the first threshold be 21.43. If this is not possible then I will understand but this is how I want the heatmap to work ideally. Does this make sense? Please let me know. I appreciate and thank you for your help. I hope to hear from you soon! 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
3 weeks ago

So if you have the stats that results in the number, e.g.

....
| stats sum(amount) as total by source
| eval total=total/7*.5

but without knowing what you've tried so far, this may or may not be useful.

It's often good to show what you've done with your SPL along with an explanation of your problem as it helps us understand where you're trying to get to.

 

0 Karma
Reply

therealjosh
Observer
3 weeks ago

Hello @bowesmana! Thank you for responding quickly and apologize for the delay. So this would work if I didnt have the heatmap to go along with it. To put more information, I will include my original query. 
index=Basketball
| timechart span=1d count by players limit=100

The above is my query and when I add what you typed individually it works but when I put it together no results appear. I want to use the calculation that I get from what you typed to put it in my heat graph as thresholds. Does that make more sense? For example, Lets say Lebron has a total 100 one week. once put into the equation, the product would be 7.14. This is the first threshold and it would show if he was below or above that threshold based on the color. Now another week goes by and this time the total was 300. Now the first threshold that was once 7.14 now goes up to 21.43. And the same thing happens. Does that make sense? Please let me know. Thank you for your help once again, I hope to hear from you soon!

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
3 weeks ago

If you have a timechart split by a field, then it's different to stats, because your field name is not called total.

You need to use this type of constrct

| foreach * [ | eval <<FIELD>>=round('<<FIELD>>'/7.0*.5, 2) ]

Here's an example you can run that generates some random data

| makeresults count=1000
| eval p=random() % 5 + 1
| eval player="Player ".p
| streamstats c
| eval _time=now() - (c / 5) * 3600
| timechart span=1d count by player
| foreach * [ | eval <<FIELD>>=round('<<FIELD>>'/7.0*.5, 2) ]

However, it's still not entirely clear what you are trying to do.

You talk about a week of 700 but are timecharting by 1 day and you say if Lebron has 100 one week - what are you trying to get with the values by day?

Are you trying to normalise all players so they can be seen relative to each other or something else?

Perhaps you can flesh out what you are trying to achieve if you think of your data as a timechart.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...