Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get Eventstats Statistics based on an condition

hio77
New Member
‎01-15-2018 12:55 PM

Looking for a bit of advice on how to pull this one off.

What i'm trying to do is take some data, that also has a flag evaled into every event and work out the median only where that condition is true.

Short of a sub query, which I'm avoiding venturing into I'm pretty stuck on ideas.
Example data:

_time       Reconnections       CSW     SpeedUpperLimit     MedianDSRate        SpeedLowerLimit     PSW     ddDLMReconnection   
2018-01-01  2   2   14904   14404   13404   100.00 %    1
2018-01-02  2   2   14904   14404   13404   100.00 %    1
2018-01-03  2   2   14904   14404   13404   100.00 %    0
2018-01-04  6   5   14904   14404   13404   83.33 % 0

This is based on the following query:

| search PACKET_TYPE=ACCESS-ACCEPT OR PACKET_TYPE=STOP | reverse |streamstats current=f Last(_time) as Last_Time |reverse | eval TimeBetweenSession = abs(_time-Last_Time) | bucket span=1d _time |  eval ReconnectionType = if(TimeBetweenSession >= $dlmsecmin$ AND TimeBetweenSession <= $dlmsecmax$, "DLM Related Resync", ReconnectionType) | eventstats median(DSL_DSRATE) AS M by _time | eval FixedLogicFlag=if(M<15000, 1, 0) |eval ReportError = if(isnull(DSL_DSRATE) OR DSL_DSRATE="", "True", "False") | eval SRU = if(FixedLogicFlag == 1,M + 500,M *1.03) | eval SRL = if(FixedLogicFlag == 1,M -1000,M *0.92)  | stats first(ReportError) AS ReportError first(FixedLogicFlag) AS FixedLogicFlag count(DSL_DSRATE) AS Reconnections count(eval( ReconnectionType == "DLM Related Resync")) AS ddDLMReconnection first(SRU) as SpeedUpperLimit median(DSL_DSRATE) AS MedianDSRate  first(SRL) as SpeedLowerLimit  count(eval(DSL_DSRATE>=SRL AND DSL_DSRATE<= SRU)) AS CSW  by  _time | eval PSW = (CSW/Reconnections) * 100 |eval Logic Outcome = if(ReportError == "True", "Inconclusive (Reporting Error)", if(Reconnections>=10,if(PSW>82, "Inconclusive", "Truckroll"),"Inconclusive(Low Reauths)")) | table _time Reconnections  CSW SpeedUpperLimit MedianDSRate SpeedLowerLimit PSW   "Logic Outcome" ddDLMReconnection
Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-15-2018 03:01 PM

... | eventstats median(field) as median by condition | eval median = case(condition="true", median)

The eventstats will calculate the median for true and the median for false, the eval will only keep the value for true and unset the other values.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...