Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Calculate after stats command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Calculate after stats command
L.s.,
I want to get the latency from the input from a forwarder to an index. So whe use the app Meta_woot. It creates an inputlookup file meta-woot. In this file are the latest in-time and host names and index names. So far so good.
Next is to use this file for calculating if a host is late or recent or delayed. Those searches are in the app and works fine. But i want a little extension, i want a table with the indexes as leading, and then calculate (by index) the percentage recent/late host, and sum it a one outcome (per index)
So far the theory, now my tries. I used below serach.
| inputlookup meta_woot where index=*
| eval convert_late=(1440*60)
| eval convert_delayed=(60*60)
| eval last_time=(now()-recentTime)
| eval last_time_indexed=case(last_time < convert_delayed, "Recent", last_time > convert_late, "Late", last_time > convert_delayed, "Delayed")
| eval compliant_host=if(last_time_indexed="Recent", "1","0")
| stats count(compliant_host) as chost by index, compliant_host
This gives me a result where the outcome has split into indexname vs compliant_host and chost
index compliant_host chost
| main | 0 | 11 |
| main | 1 | 123 |
| msad | 1 | 6 |
| nmon | 1 | 5 |
| openshift | 1 | 1 |
| temp_log | 1 | 1 |
| wineventlog | 1 | 2 |
Now the question, how do i calculate the percentage for index main ( (123+11)/11) so i get an percentage value. How do i calculate with values after a stats command??
Pls help
Thanx in advance
greetz
Jari
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi KV,
Thanx for the answer. it give me some clues to work with. The only (and i think diffiuct thing) is that i want to group the results from the "main" and calculate between those two.
"main"has two type's ,
one with the compliant_host with value 0, and total 11
one with the compliant_host with value 1, and total 123
I want tot calculate between those two.. ((123+11)/11)*100 for the (total amount in main/11)*100
I think the hardest problem is the grouping off the "main" en then calculate witth it.
grts
Jari
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please try this?
| makeresults
| eval _raw="index,compliant_host,chost
main,0,11
main,1,123
msad,1,6
nmon,1,5
openshift,1,1
temp_log,1,1
wineventlog,1,2"
| multikv forceheader=1
| table index,compliant_host,chost
| stats sum(chost) as total list(chost) as chost by index | eval chost=mvindex(chost,0)
| eval percentage=round((total/chost)*100,2)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you looking for this?
| makeresults | eval _raw="index,compliant_host,chost
main,0,11
main,1,123
msad,1,6
nmon,1,5
openshift,1,1
temp_log,1,1
wineventlog,1,2"| multikv forceheader=1
| table index,compliant_host,chost | eventstats sum(chost) as total by index | eval percentage=round((chost/total)*100,2) | fields - total
KV
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi KV,
Sorry for the late answer, i had a free long weekend.
I think i see it now. I don't have to group it indeed, just get the one's with value "0" for the complian_host. If that one is above 33 % then i want a warning.
I think i can write this one 🙂
thanks foor the help.
grts
Jari
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
