Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After applying the stats percentile function to the daily max per sourcetype, how do I format the resulting table to create more fields?

HattrickNZ
Motivator
‎08-31-2015 09:00 PM

If I have the following, the max per day per sourcetype: 

index=_internal sourcetype=*  sourcetype=splunkd | timechart  span=d count(series) as t count(file) as t2 by sourcetype

_time        t2: splunkd    t: splunkd
2015-08-28  0             949
2015-08-29  0             0
2015-08-30  0             0
2015-08-31  42           13891
2015-09-01  17           13497

Then I want to apply the percentile function to these daily maxes (there might be a better way of doing this):

index=_internal sourcetype=*  sourcetype=splunkd | timechart  span=d count(series) as t count(file) as t2 by sourcetype | stats perc90(*) as *

t2: splunkd    t: splunkd
42           13891

Then I want to somehow get it to this because I want to create more fields e.g. t3=t*100/t2

sourcetype  t2  t
splunkd 42  13891

Can this be done?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-01-2015 07:40 AM

This should give you what you need

index=_internal sourcetype=splunkd 
| bucket span=1h _time | stats count(series) as t count(file) as t2 by _time,sourcetype | stats perc90(*) as * by sourcetype | eval t3=t*100/t2

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-01-2015 07:40 AM

This should give you what you need

index=_internal sourcetype=splunkd 
| bucket span=1h _time | stats count(series) as t count(file) as t2 by _time,sourcetype | stats perc90(*) as * by sourcetype | eval t3=t*100/t2
0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎09-01-2015 12:57 PM

tks, that's exactly what I want

and just for my reference and if you would like to clarify/comment.

the 2 searchs below give similar outputs, but i guess using the bucket option with stats gives more flexibility that timechart in this regard

index=_internal sourcetype=splunkd | bucket span=d _time | stats count(series) as t count(file) as t2 by _time,sourcetype

_time   sourcetype  t   t2
2015-08-31 00:00:00 splunkd 13891   42
2015-09-01 00:00:00 splunkd 25797   21
2015-09-02 00:00:00 splunkd 10881   17

index=_internal sourcetype=* sourcetype=splunkd | timechart span=d count(series) as t count(file) as t2 by sourcetype

_time   t2: splunkd t: splunkd
2015-08-31  42  13891
2015-09-01  21  25797
2015-09-02  17  10698
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌 Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...