1) In the picture attached, I want to display the values >300 as good and less than 300 as bad
2) The other part is to calculate the avg of each row (i.e. (calgary+leatherhead+Melbourne)/3) and display a new column with the avg of those, and if the value is >350 it is good and less than 350 as bad
thank you so much guys
Be sure to close out the question by pickimg the answer that you like the best and clicking "Accept".
Like this:
index=pams sourcetype=transaction transaction_status=Success transaction="PAMS 2GiB Read" (host=ups6z4420yh24* OR host=ldn6z442166w6* OR host=cal6z442804vy* OR host=esh6z4419fvaj*) earliest=-1d@d latest=now | eval duration=2048000/duration | eval sitecode=substr(upper(hostname),1,3) | loookup app_utc_site_lat_long.csv sitecode OUTPUTNEW site | timechart avg(duration) by site | addtotals row=t | eval cols=-2 | foreach * [eval cols=cols+1] | eval AllSiteAvg=Total/cols | fields - Total cols | foreach * [eval <<FIELD>>_status = if((<<FIELD>> > 300), "GOOD", "BAD")] | fields - _time_status
Try something like this (fixed the timechart span to 30 mins in bucket/timechart command)
index=pams ..rest of base search host="ups... rest of host filter | eval duration=(2048/duration)*1000 | bucket span=30m _time | stats avg(duration) as duration by _time hostname | eval sitecode=substr(upper(hostname),1,3) | lookup app_utc_site_lat_long.csv sitecode OUTPUTNEW site | table _time site duration | appendpipe [| stats avg(duration) as duration by _time | eval site="TotalAvg"] | timechart span=30m avg(duration) as duration by site | eval category=if(TotalAvg>300,"Good","Bad")
What you want to show as in good OR bad? Can you provide sample output you expect?
if the avg of three fields calgary+leatherhead+Melbourne/3 is greater than 300 then the avg value should be displayed and it should fall in good category for example
_time calgary houston
2015-09-08 10 20
melbourne average status
30 20 good
the average of 10+20+30/3=20
since its avg is greater than 10 it is good or else it should be bad
One final question, will it be ok for your to fix the span of timechart??
ya so is there anything to do with that
Hi somesh if you dont mind can i have your email id..i have seen you have almost 3 yrs exp in splunk as a dev and admin
Sure.. it's somesh.soni@gmail.com
There is no picture attached. Perhaps you could cut-and-paste the search query. Highlight the text of the search query, then use the 101010
icon to format it as "code" and it will look fine.
can you see the pic now