Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate a value based on multiple events

larsxschneider
Explorer
‎09-28-2014 01:20 PM

My events have the following structure:
id=[id] key=[key] value=[value]

For example:
id=1 key=mycounter value=4
id=1 key=mytime value=40
id=2 key=mycounter value=5
id=2 key=mytime value=70
id=3 key=mycounter value=8
id=3 key=mytime value=90

I would like to calculate mycounter/mytime for each id.

I created a table ((key=mycounter OR key=mytime) | dedup id, key | table id, key, value) and tried to apply mvcombine and makemv, but I was not able to get it working. Is this the right way to go or is there a better way in Splunk?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-28-2014 01:23 PM

Try this:

key=mycounter OR key=mytime | eval value_{key} = value | stats first(value_*) as * by id | eval result = mycounter / mytime

The first eval creates two fields, value_mycounter and value_mytime. The stats merges the two events into one for each id. The final eval does the actual maths.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-28-2014 01:23 PM

Try this:

key=mycounter OR key=mytime | eval value_{key} = value | stats first(value_*) as * by id | eval result = mycounter / mytime

The first eval creates two fields, value_mycounter and value_mytime. The stats merges the two events into one for each id. The final eval does the actual maths.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-28-2014 01:30 PM

Gerne! 🙂

0 Karma
Reply
Solved! Jump to solution

larsxschneider
Explorer
‎09-28-2014 01:28 PM

Awesome! Thank you very much!

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...