Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Append eval'd streamstats to stats in table

jspigler2010
Explorer
‎01-09-2018 05:50 PM

I am trying to append and eval'd field from streamstats to other fields from a stats command within a table. The following produces results in each field except new_loss (the eval'd field from streamstats). Is this possible? My current search which doesn't work

index=vdi sourcetype="vmware_pcoip" host=*
| sort _time
| convert ctime(_time) as "Latest Time Stamp" 
| stats last("Latest Time Stamp") as "Latest Time Stamp" last(loss_percentage) as loss_percentage last(round_trip_time_ms) as roundtrip last(rto) as rto last(quality) as quality last(avg_rx) as avgRX last(avg_tx) as avgTX by host
| streamstats current=f window=1 global=f last(bw_limit) as old_bw_limit by host
| eval new_loss=if(bw_limit>0,old_bw_limit-bw_limit,0)
| table "Latest Time Stamp" host loss_percentage roundtrip rto quality avgRX avgTX new_loss
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎01-09-2018 08:48 PM

bw_limit does not exist. Please also add bw_limit to STATS.

View solution in original post

Reply
Solved! Jump to solution

harishalipaka
Motivator
‎01-09-2018 11:57 PM

Try with

Inner join

Thanks
Harish
Reply
Solved! Jump to solution

jspigler2010
Explorer
‎01-11-2018 02:55 PM

Join worked great!

index=vdi sourcetype="vmware_pcoip" host=* bw_limit!=0 earliest=-15m latest=now 
| sort _time
| streamstats window=1 current=f last(bw_limit) as old_bw_limit by host
| eval new_loss=if(bw_limit<old_bw_limit,old_bw_limit-bw_limit,0) 
| join host [search index=vdi sourcetype="vmware_pcoip" host=* earliest=-15m latest=now 
| convert ctime(_time) as "Latest Time Stamp" 
| stats last("Latest Time Stamp") as "Latest Time Stamp" last(loss_percentage) as loss_percentage last(round_trip_time_ms) as roundtrip last(rto) as rto last(quality) as quality last(avg_rx) as avgRX last(avg_tx) as avgTX last(bw_limit) as bw_limit by host 
| fillnull value="0" 
| where (loss_percentage>=$lossPercentage$) AND (rto>=$rto$) AND (roundtrip>=$roundtrip$) AND (quality>=$quality$) AND (avgTX>=$avgTX$) AND (avgRX>=$avgRX$) AND (bw_limit>=$bw_limit$) ]
| where new_loss>=$new_loss$
| table "Latest Time Stamp" host loss_percentage roundtrip rto quality avgRX avgTX bw_limit

Thanks for the suggestion harish!

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎01-12-2018 10:14 PM

If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.

0 Karma
Reply
Solved! Jump to solution

jspigler2010
Explorer
‎01-10-2018 04:09 AM

Thanks Harish, will try join and see what I get.

0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎01-09-2018 08:48 PM

bw_limit does not exist. Please also add bw_limit to STATS.

Reply
Solved! Jump to solution

micahkemp
Champion
‎01-09-2018 06:06 PM

Your search didn’t paste correctly. Please use the code button (101010) to make it format properly.

0 Karma
Reply
Solved! Jump to solution

jspigler2010
Explorer
‎01-10-2018 04:08 AM

Micah, not sure what you are referring to?

0 Karma
Reply
Solved! Jump to solution

jspigler2010
Explorer
‎01-10-2018 04:09 AM

Nm

Will update using code button...

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...