Splunk Search
Highlighted

How to categorize search results as "good" or "bad" based on values returned?

Builder

alt text
1) In the picture attached, I want to display the values >300 as good and less than 300 as bad

2) The other part is to calculate the avg of each row (i.e. (calgary+leatherhead+Melbourne)/3) and display a new column with the avg of those, and if the value is >350 it is good and less than 350 as bad

Tags (3)
0 Karma
Highlighted

Re: How to categorize search results as "good" or "bad" based on values returned?

Legend

There is no picture attached. Perhaps you could cut-and-paste the search query. Highlight the text of the search query, then use the 101010 icon to format it as "code" and it will look fine.

0 Karma
Highlighted

Re: How to categorize search results as "good" or "bad" based on values returned?

Builder

can you see the pic now

0 Karma
Highlighted

Re: How to categorize search results as "good" or "bad" based on values returned?

SplunkTrust
SplunkTrust

What you want to show as in good OR bad? Can you provide sample output you expect?

0 Karma
Highlighted

Re: How to categorize search results as "good" or "bad" based on values returned?

Builder

if the avg of three fields calgary+leatherhead+Melbourne/3 is greater than 300 then the avg value should be displayed and it should fall in good category for example
_time calgary houston
2015-09-08 10 20

melbourne average status
30 20 good

the average of 10+20+30/3=20
since its avg is greater than 10 it is good or else it should be bad

0 Karma
Highlighted

Re: How to categorize search results as "good" or "bad" based on values returned?

SplunkTrust
SplunkTrust

One final question, will it be ok for your to fix the span of timechart??

0 Karma
Highlighted

Re: How to categorize search results as "good" or "bad" based on values returned?

Builder

ya so is there anything to do with that

0 Karma
Highlighted

Re: How to categorize search results as "good" or "bad" based on values returned?

Builder

Hi somesh if you dont mind can i have your email id..i have seen you have almost 3 yrs exp in splunk as a dev and admin

0 Karma
Highlighted

Re: How to categorize search results as "good" or "bad" based on values returned?

SplunkTrust
SplunkTrust

Sure.. it's somesh.soni@gmail.com

0 Karma
Highlighted

Re: How to categorize search results as "good" or "bad" based on values returned?

SplunkTrust
SplunkTrust

Try something like this (fixed the timechart span to 30 mins in bucket/timechart command)

index=pams ..rest of base search host="ups... rest of host filter | eval duration=(2048/duration)*1000 | bucket span=30m _time | stats avg(duration) as duration by _time hostname | eval sitecode=substr(upper(hostname),1,3) | lookup app_utc_site_lat_long.csv sitecode OUTPUTNEW site | table _time site duration | appendpipe [| stats avg(duration) as duration by _time | eval site="TotalAvg"] | timechart span=30m avg(duration) as duration by site | eval category=if(TotalAvg>300,"Good","Bad")