Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I create a derived field using two searches...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SlothB77
Engager
09-07-2018
08:42 AM
I want to create a derived field using a search string like so:
(host=HostA sourcetype="SourceTypeA" counter="CounterA" avg(ValueA)) /
(host=HostA sourcetype="SourceTypeA" counter="CounterB" avg(ValueB))
This divides the average value when counter=CounterA by the average value when counter=CounterB. I get an error when I plug this search string into the Splunk dynamic search.
I tried this alternative version:
host=Host sourcetype=SourceType counter=CounterA avg(Value) by GroupByField as numerator
counter=CounterB avg(ValueB) by GroupByField as denominator |
eval quotient= numerator/denominator |
table GroupByField, quotient
but no luck.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
09-07-2018
09:11 AM
@SlothB77,
Try,
host=Host sourcetype=SourceType |stats avg(eval(if(counter=CounterA,ValueA,null()))) as numerator,
avg(eval(if(counter=CounterB,ValueB,null()))) as denominator
by GroupByField
|eval quotient= numerator/denominator
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
09-07-2018
09:11 AM
@SlothB77,
Try,
host=Host sourcetype=SourceType |stats avg(eval(if(counter=CounterA,ValueA,null()))) as numerator,
avg(eval(if(counter=CounterB,ValueB,null()))) as denominator
by GroupByField
|eval quotient= numerator/denominator
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SlothB77
Engager
09-07-2018
09:17 AM
This code worked without error when I plugged in my values and it returned exactly what I was looking for. Well done!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
horsefez
Motivator
09-07-2018
09:09 AM
Hi @SlothB77,
I just throw a random suggestion out there.
How about:
host=HostA sourcetype="SourceTypeA"
| stats avg(ValueA) AS average_valueA, avg(ValueB) AS average_valueB by counter
| stats values(*) as *
| ratio=average_valueA/average_valueB
Props go to @DalJeanis for help on the last two lines!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
horsefez
Motivator
09-07-2018
09:01 AM
Hi @SlothB77,
please provide us some sample data and an expected output with further clarification on what you are expecting to do.
Unfortunately your SPL is just a mess. And I can't figure out what you are trying to do.
Get Updates on the Splunk Community!
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
