Solved: How to create a bucket of number of events instead...

msyparker · ‎04-01-2020

Hello! 🙂

I'm tryng to get statistics of groups of 200 events.

For instance, I have the following stats:

|stats sum(CPU) avg(resptime) c as "total"

sum(CPU)----------avg(resptime)----------total
1000-----------------0.00240------------------800

What I wanted to have is:

sum(CPU)----------avg(resptime)----------total
120-------------------0.00125------------------200
300-------------------0.00124------------------200
480-------------------0.00122------------------200
100-------------------0.00122------------------200

OBS. I know how to create bins of time span, but what I need is to make buckets based on event quantity and NOT time.

Thank you in advance!

woodcock · ‎04-01-2020

Like this:

... | streamstats count AS _serial
| eval _bucketOf200 = floor((_serial - 1)/ 200)
| stats sum(CPU) avg(resptime) count AS total BY _bucketOf200

View solution in original post

woodcock · ‎04-01-2020

Like this:

... | streamstats count AS _serial
| eval _bucketOf200 = floor((_serial - 1)/ 200)
| stats sum(CPU) avg(resptime) count AS total BY _bucketOf200

How to create a bucket of number of events instead of time?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application