Splunk Search

After applying the stats percentile function to the daily max per sourcetype, how do I format the resulting table to create more fields?

Motivator

If I have the following, the max per day per sourcetype:

index=_internal sourcetype=*  sourcetype=splunkd | timechart  span=d count(series) as t count(file) as t2 by sourcetype

_time        t2: splunkd    t: splunkd
2015-08-28  0             949
2015-08-29  0             0
2015-08-30  0             0
2015-08-31  42           13891
2015-09-01  17           13497

Then I want to apply the percentile function to these daily maxes (there might be a better way of doing this):

index=_internal sourcetype=*  sourcetype=splunkd | timechart  span=d count(series) as t count(file) as t2 by sourcetype | stats perc90(*) as *

t2: splunkd    t: splunkd
42           13891

Then I want to somehow get it to this because I want to create more fields e.g. t3=t*100/t2

sourcetype  t2  t
splunkd 42  13891

Can this be done?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

This should give you what you need

index=_internal sourcetype=splunkd 
| bucket span=1h _time | stats count(series) as t count(file) as t2 by _time,sourcetype | stats perc90(*) as * by sourcetype | eval t3=t*100/t2

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

This should give you what you need

index=_internal sourcetype=splunkd 
| bucket span=1h _time | stats count(series) as t count(file) as t2 by _time,sourcetype | stats perc90(*) as * by sourcetype | eval t3=t*100/t2

View solution in original post

0 Karma

Motivator

tks, that's exactly what I want

and just for my reference and if you would like to clarify/comment.

the 2 searchs below give similar outputs, but i guess using the bucket option with stats gives more flexibility that timechart in this regard

index=_internal sourcetype=splunkd | bucket span=d _time | stats count(series) as t count(file) as t2 by _time,sourcetype

_time   sourcetype  t   t2
2015-08-31 00:00:00 splunkd 13891   42
2015-09-01 00:00:00 splunkd 25797   21
2015-09-02 00:00:00 splunkd 10881   17

index=_internal sourcetype=* sourcetype=splunkd | timechart span=d count(series) as t count(file) as t2 by sourcetype

_time   t2: splunkd t: splunkd
2015-08-31  42  13891
2015-09-01  21  25797
2015-09-02  17  10698
0 Karma