Splunk Search

Calculate a value based on multiple events

larsxschneider
Explorer

My events have the following structure:
id=[id] key=[key] value=[value]

For example:
id=1 key=mycounter value=4
id=1 key=mytime value=40
id=2 key=mycounter value=5
id=2 key=mytime value=70
id=3 key=mycounter value=8
id=3 key=mytime value=90

I would like to calculate mycounter/mytime for each id.

I created a table ((key=mycounter OR key=mytime) | dedup id, key | table id, key, value) and tried to apply mvcombine and makemv, but I was not able to get it working. Is this the right way to go or is there a better way in Splunk?

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Try this:

key=mycounter OR key=mytime | eval value_{key} = value | stats first(value_*) as * by id | eval result = mycounter / mytime

The first eval creates two fields, value_mycounter and value_mytime. The stats merges the two events into one for each id. The final eval does the actual maths.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Try this:

key=mycounter OR key=mytime | eval value_{key} = value | stats first(value_*) as * by id | eval result = mycounter / mytime

The first eval creates two fields, value_mycounter and value_mytime. The stats merges the two events into one for each id. The final eval does the actual maths.

martin_mueller
SplunkTrust
SplunkTrust

Gerne! 🙂

0 Karma

larsxschneider
Explorer

Awesome! Thank you very much!

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...