- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Calculate after stats command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Calculate after stats command
L.s.,
I want to get the latency from the input from a forwarder to an index. So whe use the app Meta_woot. It creates an inputlookup file meta-woot. In this file are the latest in-time and host names and index names. So far so good.
Next is to use this file for calculating if a host is late or recent or delayed. Those searches are in the app and works fine. But i want a little extension, i want a table with the indexes as leading, and then calculate (by index) the percentage recent/late host, and sum it a one outcome (per index)
So far the theory, now my tries. I used below serach.
| inputlookup meta_woot where index=*
| eval convert_late=(1440*60)
| eval convert_delayed=(60*60)
| eval last_time=(now()-recentTime)
| eval last_time_indexed=case(last_time < convert_delayed, "Recent", last_time > convert_late, "Late", last_time > convert_delayed, "Delayed")
| eval compliant_host=if(last_time_indexed="Recent", "1","0")
| stats count(compliant_host) as chost by index, compliant_host
This gives me a result where the outcome has split into indexname vs compliant_host and chost
index compliant_host chost
| main | 0 | 11 |
| main | 1 | 123 |
| msad | 1 | 6 |
| nmon | 1 | 5 |
| openshift | 1 | 1 |
| temp_log | 1 | 1 |
| wineventlog | 1 | 2 |
Now the question, how do i calculate the percentage for index main ( (123+11)/11) so i get an percentage value. How do i calculate with values after a stats command??
Pls help
Thanx in advance
greetz
Jari
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi KV,
Thanx for the answer. it give me some clues to work with. The only (and i think diffiuct thing) is that i want to group the results from the "main" and calculate between those two.
"main"has two type's ,
one with the compliant_host with value 0, and total 11
one with the compliant_host with value 1, and total 123
I want tot calculate between those two.. ((123+11)/11)*100 for the (total amount in main/11)*100
I think the hardest problem is the grouping off the "main" en then calculate witth it.
grts
Jari
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please try this?
| makeresults
| eval _raw="index,compliant_host,chost
main,0,11
main,1,123
msad,1,6
nmon,1,5
openshift,1,1
temp_log,1,1
wineventlog,1,2"
| multikv forceheader=1
| table index,compliant_host,chost
| stats sum(chost) as total list(chost) as chost by index | eval chost=mvindex(chost,0)
| eval percentage=round((total/chost)*100,2)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you looking for this?
| makeresults | eval _raw="index,compliant_host,chost
main,0,11
main,1,123
msad,1,6
nmon,1,5
openshift,1,1
temp_log,1,1
wineventlog,1,2"| multikv forceheader=1
| table index,compliant_host,chost | eventstats sum(chost) as total by index | eval percentage=round((chost/total)*100,2) | fields - total
KV
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi KV,
Sorry for the late answer, i had a free long weekend.
I think i see it now. I don't have to group it indeed, just get the one's with value "0" for the complian_host. If that one is above 33 % then i want a warning.
I think i can write this one 🙂
thanks foor the help.
grts
Jari
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
