Solved: Re: Calculate a value based on multiple events

larsxschneider · ‎09-28-2014

My events have the following structure:
id=[id] key=[key] value=[value]

For example:
id=1 key=mycounter value=4
id=1 key=mytime value=40
id=2 key=mycounter value=5
id=2 key=mytime value=70
id=3 key=mycounter value=8
id=3 key=mytime value=90

I would like to calculate mycounter/mytime for each id.

I created a table ((key=mycounter OR key=mytime) | dedup id, key | table id, key, value) and tried to apply mvcombine and makemv, but I was not able to get it working. Is this the right way to go or is there a better way in Splunk?

martin_mueller · ‎09-28-2014

Try this:

key=mycounter OR key=mytime | eval value_{key} = value | stats first(value_*) as * by id | eval result = mycounter / mytime

The first eval creates two fields, value_mycounter and value_mytime. The stats merges the two events into one for each id. The final eval does the actual maths.

View solution in original post

martin_mueller · ‎09-28-2014

Try this:

key=mycounter OR key=mytime | eval value_{key} = value | stats first(value_*) as * by id | eval result = mycounter / mytime

The first eval creates two fields, value_mycounter and value_mytime. The stats merges the two events into one for each id. The final eval does the actual maths.

martin_mueller · ‎09-28-2014

Gerne! 🙂

larsxschneider · ‎09-28-2014

Awesome! Thank you very much!

Calculate a value based on multiple events

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!