Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get Eventstats Statistics based on an condition

hio77
New Member
‎01-15-2018 12:55 PM

Looking for a bit of advice on how to pull this one off.

What i'm trying to do is take some data, that also has a flag evaled into every event and work out the median only where that condition is true.

Short of a sub query, which I'm avoiding venturing into I'm pretty stuck on ideas.
Example data:

_time       Reconnections       CSW     SpeedUpperLimit     MedianDSRate        SpeedLowerLimit     PSW     ddDLMReconnection   
2018-01-01  2   2   14904   14404   13404   100.00 %    1
2018-01-02  2   2   14904   14404   13404   100.00 %    1
2018-01-03  2   2   14904   14404   13404   100.00 %    0
2018-01-04  6   5   14904   14404   13404   83.33 % 0

This is based on the following query:

| search PACKET_TYPE=ACCESS-ACCEPT OR PACKET_TYPE=STOP | reverse |streamstats current=f Last(_time) as Last_Time |reverse | eval TimeBetweenSession = abs(_time-Last_Time) | bucket span=1d _time |  eval ReconnectionType = if(TimeBetweenSession >= $dlmsecmin$ AND TimeBetweenSession <= $dlmsecmax$, "DLM Related Resync", ReconnectionType) | eventstats median(DSL_DSRATE) AS M by _time | eval FixedLogicFlag=if(M<15000, 1, 0) |eval ReportError = if(isnull(DSL_DSRATE) OR DSL_DSRATE="", "True", "False") | eval SRU = if(FixedLogicFlag == 1,M + 500,M *1.03) | eval SRL = if(FixedLogicFlag == 1,M -1000,M *0.92)  | stats first(ReportError) AS ReportError first(FixedLogicFlag) AS FixedLogicFlag count(DSL_DSRATE) AS Reconnections count(eval( ReconnectionType == "DLM Related Resync")) AS ddDLMReconnection first(SRU) as SpeedUpperLimit median(DSL_DSRATE) AS MedianDSRate  first(SRL) as SpeedLowerLimit  count(eval(DSL_DSRATE>=SRL AND DSL_DSRATE<= SRU)) AS CSW  by  _time | eval PSW = (CSW/Reconnections) * 100 |eval Logic Outcome = if(ReportError == "True", "Inconclusive (Reporting Error)", if(Reconnections>=10,if(PSW>82, "Inconclusive", "Truckroll"),"Inconclusive(Low Reauths)")) | table _time Reconnections  CSW SpeedUpperLimit MedianDSRate SpeedLowerLimit PSW   "Logic Outcome" ddDLMReconnection
Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-15-2018 03:01 PM

... | eventstats median(field) as median by condition | eval median = case(condition="true", median)

The eventstats will calculate the median for true and the median for false, the eval will only keep the value for true and unset the other values.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...