Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combine two counts where event2 is a subset of event2

elaoumam
Engager
‎06-07-2019 11:50 PM

Hi there,

I have these two searchs to count TPS :
First one :

index=tutti sourcetype=toto status!=4  | bucket span=1m _time | stats count by _time | stats sum(count) as Rate_per_Minute by _time | eval Rate_per_Second = Rate_per_Minute / 60 | stats max(Rate_per_Second) as Peak_Rate_per_Second by _time | rename _time as Registered_At | fieldformat Registered_At = strftime(Registered_At, "%Y-%m-%d %H:%M:%S") | sort - Peak_Rate_per_Second | head 1

Second one :

index=tutti sourcetype=toto notif=1 AND orig=0 AND status!=9 AND status!=4  | bucket span=1m _time | stats count by _time | stats sum(count) as Rate_per_Minute by _time | eval Rate_per_Second = Rate_per_Minute / 60 | stats max(Rate_per_Second) as Peak_Rate_per_Second by _time | rename _time as Registered_At | fieldformat Registered_At = strftime(Registered_At, "%Y-%m-%d %H:%M:%S") | sort - Peak_Rate_per_Second | head 1

I want to combine both counts to sum their counts per minute before deviding by 60 knowing that event2 is a subset of event1 (like counting it twice).

I don't seem to find a way to do that.

Can ayone please help me on this one ?

Best Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎06-09-2019 02:21 AM

something like this

index=tutti sourcetype=toto status!=4|eval event=if(notif=1 AND orig=0 AND status!=9 AND status!=4,"event1","event2")|
bucket span=1m _time | stats count(event) by _time

See the output from the above and then you can re-tweak the rest of your code just a bit

View solution in original post

Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎06-09-2019 02:21 AM

something like this

index=tutti sourcetype=toto status!=4|eval event=if(notif=1 AND orig=0 AND status!=9 AND status!=4,"event1","event2")|
bucket span=1m _time | stats count(event) by _time

See the output from the above and then you can re-tweak the rest of your code just a bit

Reply
Solved! Jump to solution

elaoumam
Engager
‎06-10-2019 06:57 AM

Thanks for the answer !
It does work perfectly as expected when tweaking it a bit as follows :
index=tutti sourcetype=toto status!=4 | eval event=if(notif=1 AND orig=0 AND status!=4 AND status!=9,"event2","event1") | bucket span=1m _time | stats count(eval(event="event1")) AS count1, count(eval(event="event2")) AS count2 by _time | eval counts = 2 * count2 + count1 | stats sum(counts) as Rate_per_Minute by _time | eval Rate_per_Second = Rate_per_Minute / 60 | stats max(Rate_per_Second) as Peak_Rate_per_Second by _time | rename _time as Registered_At | fieldformat Registered_At = strftime(Registered_At, "%Y-%m-%d %H:%M:%S") | sort - Peak_Rate_per_Second | head 1

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎06-10-2019 08:32 AM

you have done quite a bit of tweaking 🙂 I was not sure about your exact requirements, but knew that what you are looking for is to split the raw events using an if...great that you figured out the rest!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...