Splunk Search

Accessing results from search after timecharting

marrette
Path Finder

Hi all,

I'm trying to write a query that pulls up some data, time charts it, then calculates a percentage based on how much it found based on the 'known' maximum. This all fairly straight forward except the known maximum must be calculated on the number of hosts found in the orginal search.

Firstly I came up with:

index=main host=hosts0*p "serviceAvailable=true" | 
timechart partial=false span=15m count by host  | 
foreach * [eval <<FIELD>> = '<<FIELD>>' * 100 / ( (15 * 60) / (10 / 2 ) )]

The search works fine and gives good results until I try to link the number of hosts the search found with the mathamatics at the end. Ideally I would like to be able to do the following (the end of the third line it counts the number values in the host field):

index=main host=hosts0*p "serviceAvailable=true" | 
timechart partial=false span=15m count by host  | 
foreach * [eval <<FIELD>> = '<<FIELD>>' * 100 / ( (15 * 60) / (10 / stats dc(host) ) )]

But of course this isn't valid syntax!

Is there any way to get the count of the hosts this late in the query? I'm thinking some sort of sub-search but I can't seem to find anything that works.

Thanks
Eddie

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

 index=main host=hosts0*p "serviceAvailable=true" | 
 timechart partial=false span=15m count by host  | 
 eval hostcount=0 |
 foreach hosts0* [eval hostcount=hostcount+1] |
 foreach hosts0* [eval <<FIELD>> = '<<FIELD>>' * 100 / ( (15 * 60) / (10 / hostcount ) )] |
 fields - hostcount

View solution in original post

tpeveler_splunk
Splunk Employee
Splunk Employee

Here is an approach that uses an eval statement with a subsearch to get the overall number of hosts to use in the foreach statement that calculates the percentage.

I also included limit=0 in the timechart command so that all hosts are included in the results.

index=main host=hosts0*p "serviceAvailable=true"
| timechart limit=0 partial=false span=15m count by host
| eval numhosts= [ search index=main host=hosts0*p "serviceAvailable=true" | stats dc(host) as numhosts | return $numhosts ]
| foreach hosts0*p [ eval <<FIELD>> = '<<FIELD>>' * 100 / ( (15 * 60) / (10 / numhosts ) ) ]

somesoni2
SplunkTrust
SplunkTrust

Give this a try

 index=main host=hosts0*p "serviceAvailable=true" | 
 timechart partial=false span=15m count by host  | 
 eval hostcount=0 |
 foreach hosts0* [eval hostcount=hostcount+1] |
 foreach hosts0* [eval <<FIELD>> = '<<FIELD>>' * 100 / ( (15 * 60) / (10 / hostcount ) )] |
 fields - hostcount
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...