Splunk Search

How to get the average of two fields and compare with last event?

vtsguerrero
Contributor

I have a simple search like

index=main sourcetype=performance Status=*
| eval Status = if(Status=="S","Success","Error")

Then I should have a count for each status, example 50 Success and 20 Errors.
Then get the average of those two counts, and finally compare this average to last event so I can get the average difference to the last event.
How can achieve this?

Thanks in advance!

Tags (4)
0 Karma
1 Solution

woodcock
Esteemed Legend

The basic answer is very easy; like this:

 index=main sourcetype=performance Status=* | eval Status = if(Status=="S","Success","Error") | stats count BY Status

The problem is the "compare to last event" part, which doesn't make sense to me.

View solution in original post

woodcock
Esteemed Legend

The basic answer is very easy; like this:

 index=main sourcetype=performance Status=* | eval Status = if(Status=="S","Success","Error") | stats count BY Status

The problem is the "compare to last event" part, which doesn't make sense to me.

vtsguerrero
Contributor

This pretty much solves the problem, just need to get the average of errors and success now...

0 Karma

vtsguerrero
Contributor

My data is similar to this line:

05112015ZK00S09MAIN
05112015ZK00S14MAIN
05112015ZK00E65MAIN
05102015ZK00E22MAIN
05102015ZK00S01MAIN

Where the "S" or "E" stands for Status.
So I should get the average of events with Success, the average of Errors.
They were both extracted positional regex as "Status"
How can I get the average of'em ?

0 Karma

sideview
SplunkTrust
SplunkTrust

I'm sorry but this question doesn't make any sense so I think you're just asking it in a confusing way. "the average of events with Success, the average of Errors" makes very little sense.

Do you want to end up with a single overall average success rate like 37%?

If so then
index=main sourcetype=performance Status=* | eval foo=1 | chart count over foo by Status | eval ratio=100*
(S/E) | eval ratio=ratio + "%"
will do the trick.

But this wouldn't incorporate your other requirement, "compare this average to last event so I can get the average difference to the last event" which still doesn't make sense.

0 Karma

vtsguerrero
Contributor

Well, this person asked us to get a deviation of average status error / success, I'm not acctually sure if this is possible. He wants a red/yellow/green light indicator to show if the deviation is higher less then 30%, less then 50% or higher then 50% deviation

0 Karma

woodcock
Esteemed Legend

I agree; you gave us the 1st part (sample events) but not the 2nd part (mockup of final desire).

0 Karma

sideview
SplunkTrust
SplunkTrust

Are these individual events single-line events with only one value for Status each, that then are written out in big groups of events, where each group for you constitutes some "event" in the real world?
Or are these events large multiline events with multiple values of Status in each?

0 Karma

woodcock
Esteemed Legend

I do not understand. Show sample events and mockup of desired final data.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...