Calculate after stats command

jariw · ‎07-14-2021

L.s.,

I want to get the latency from the input from a forwarder to an index. So whe use the app Meta_woot. It creates an inputlookup file meta-woot. In this file are the latest in-time and host names and index names. So far so good.

Next is to use this file for calculating if a host is late or recent or delayed. Those searches are in the app and works fine. But i want a little extension, i want a table with the indexes as leading, and then calculate (by index) the percentage recent/late host, and sum it a one outcome (per index)

So far the theory, now my tries. I used below serach.

| inputlookup meta_woot where index=*
| eval convert_late=(1440*60)
| eval convert_delayed=(60*60)
| eval last_time=(now()-recentTime)
| eval last_time_indexed=case(last_time < convert_delayed, "Recent", last_time > convert_late, "Late", last_time > convert_delayed, "Delayed")
| eval compliant_host=if(last_time_indexed="Recent", "1","0")
| stats count(compliant_host) as chost by index, compliant_host

This gives me a result where the outcome has split into indexname vs compliant_host and chost

index compliant_host chost

main	0	11
main	1	123
msad	1	6
nmon	1	5
openshift	1	1
temp_log	1	1
wineventlog	1	2

Now the question, how do i calculate the percentage for index main ( (123+11)/11) so i get an percentage value. How do i calculate with values after a stats command??

Pls help

Thanx in advance

greetz

Jari

jariw · ‎07-14-2021

Hi KV,

Thanx for the answer. it give me some clues to work with. The only (and i think diffiuct thing) is that i want to group the results from the "main" and calculate between those two.

"main"has two type's ,

one with the compliant_host with value 0, and total 11

one with the compliant_host with value 1, and total 123

I want tot calculate between those two.. ((123+11)/11)*100 for the (total amount in main/11)*100

I think the hardest problem is the grouping off the "main" en then calculate witth it.

grts

Jari

kamlesh_vaghela · ‎07-15-2021

@jariw

Can you please try this?

| makeresults 
| eval _raw="index,compliant_host,chost
main,0,11
main,1,123
msad,1,6
nmon,1,5
openshift,1,1
temp_log,1,1
wineventlog,1,2" 
| multikv forceheader=1 
| table index,compliant_host,chost 
| stats sum(chost) as total list(chost) as chost by index | eval chost=mvindex(chost,0)
| eval percentage=round((total/chost)*100,2)

kamlesh_vaghela · ‎07-14-2021

@jariw

Are you looking for this?

| makeresults | eval _raw="index,compliant_host,chost
main,0,11
main,1,123
msad,1,6
nmon,1,5
openshift,1,1
temp_log,1,1
wineventlog,1,2"| multikv forceheader=1
| table index,compliant_host,chost | eventstats sum(chost) as total by index | eval percentage=round((chost/total)*100,2) | fields - total

KV

jariw · ‎07-19-2021

Hi KV,

Sorry for the late answer, i had a free long weekend.

I think i see it now. I don't have to group it indeed, just get the one's with value "0" for the complian_host. If that one is above 33 % then i want a warning.

I think i can write this one 🙂

thanks foor the help.

grts

Jari

Calculate after stats command

eval

lookup

stats

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup