Splunk Search

Append eval'd streamstats to stats in table

jspigler2010
Explorer

I am trying to append and eval'd field from streamstats to other fields from a stats command within a table. The following produces results in each field except new_loss (the eval'd field from streamstats). Is this possible? My current search which doesn't work

index=vdi sourcetype="vmware_pcoip" host=*
| sort _time
| convert ctime(_time) as "Latest Time Stamp" 
| stats last("Latest Time Stamp") as "Latest Time Stamp" last(loss_percentage) as loss_percentage last(round_trip_time_ms) as roundtrip last(rto) as rto last(quality) as quality last(avg_rx) as avgRX last(avg_tx) as avgTX by host
| streamstats current=f window=1 global=f last(bw_limit) as old_bw_limit by host
| eval new_loss=if(bw_limit>0,old_bw_limit-bw_limit,0)
| table "Latest Time Stamp" host loss_percentage roundtrip rto quality avgRX avgTX new_loss
0 Karma
1 Solution

HiroshiSatoh
Champion

bw_limit does not exist. Please also add bw_limit to STATS.

View solution in original post

harishalipaka
Motivator

Try with

Inner join

Thanks
Harish

jspigler2010
Explorer

Join worked great!

index=vdi sourcetype="vmware_pcoip" host=* bw_limit!=0 earliest=-15m latest=now 
| sort _time
| streamstats window=1 current=f last(bw_limit) as old_bw_limit by host
| eval new_loss=if(bw_limit<old_bw_limit,old_bw_limit-bw_limit,0) 
| join host [search index=vdi sourcetype="vmware_pcoip" host=* earliest=-15m latest=now 
| convert ctime(_time) as "Latest Time Stamp" 
| stats last("Latest Time Stamp") as "Latest Time Stamp" last(loss_percentage) as loss_percentage last(round_trip_time_ms) as roundtrip last(rto) as rto last(quality) as quality last(avg_rx) as avgRX last(avg_tx) as avgTX last(bw_limit) as bw_limit by host 
| fillnull value="0" 
| where (loss_percentage>=$lossPercentage$) AND (rto>=$rto$) AND (roundtrip>=$roundtrip$) AND (quality>=$quality$) AND (avgTX>=$avgTX$) AND (avgRX>=$avgRX$) AND (bw_limit>=$bw_limit$) ]
| where new_loss>=$new_loss$
| table "Latest Time Stamp" host loss_percentage roundtrip rto quality avgRX avgTX bw_limit

Thanks for the suggestion harish!

0 Karma

micahkemp
Champion

If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.

0 Karma

jspigler2010
Explorer

Thanks Harish, will try join and see what I get.

0 Karma

HiroshiSatoh
Champion

bw_limit does not exist. Please also add bw_limit to STATS.

micahkemp
Champion

Your search didn’t paste correctly. Please use the code button (101010) to make it format properly.

0 Karma

jspigler2010
Explorer

Micah, not sure what you are referring to?

0 Karma

jspigler2010
Explorer

Nm

Will update using code button...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...