Solved: How can I divide two variables in the same search?

byessayian · ‎02-10-2013

Here's an example of a string I'm looking for:

15:55:37.732 ( 5436:15032) G-MST: 2000001D "00020000-dff6-5032-e3c7-0010491e0e23" ("10.101.16.126","10.101.16.147"),6(G722),rsn:1,23:55:37.629 (UTC),pl:20,(s:45, r:38, l:2294),(j:0,u:0,o:0) flgs:0x00000000 "sip:255@10.101.16.11:5441",vpn:0

I'm interested in the percentage of packet loss. Packets sent are "s:45" and packets received are "r:38". For this example, I'd like to generate an alert on a packet loss of 10% or more.

Could someone please help me?

Ayn · ‎02-10-2013

... | rex "\(s:(?<packets_sent>\d+), r:(?<packets_received>\d+)" | eval packet_loss=1-(packets_received/packets_sent) | where packet_loss>0.1

View solution in original post

Ayn · ‎02-10-2013

... | rex "\(s:(?<packets_sent>\d+), r:(?<packets_received>\d+)" | eval packet_loss=1-(packets_received/packets_sent) | where packet_loss>0.1

byessayian · ‎02-12-2013

Wow! That's brilliant! I'm new to the Splunk community. You answered promptly and accurately. That did it. Thank you so much!

How can I divide two variables in the same search?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How can I divide two variables in the same search?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!