Splunk Search

How to take the result from a timechart 'sum by' and multiply it by another value?

jhewel2495
Engager

Hello, what I am trying to do in this search is sum the total CPU seconds, by report class, for a one day period. Once I have that sum, I would like to take it one step further and multiply that sum by our MSU factor to determine the MSUs used by a specific report class for any given day. 

I believe what I need to do is store the result from the timechart statement as a new variable, to be able to multiply that variable by the MSUFactor. I have not had any luck in  trying a combination of 'eval' statements or by leveraging the AS keyword to store the result into a variable I can further work with. 

I appreciate any help you may be able to offer!

index=z* MFSOURCETYPE=SMF030 Subtype=2 `calccpusecs`
| where Rptcls IN("RHOTBAT","RPDBATLO","RPDBATMD","RSAGBAT","RTSTBAT")
| eval MSUFactor=(37209.3023/5/216000)
| timechart span=1d sum(cpusecs) by Rptcls
| addcoltotals

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this.  It cycles through each report class and uses eval to compute the MSUs used.

index=z* MFSOURCETYPE=SMF030 Subtype=2 `calccpusecs`
| where Rptcls IN("RHOTBAT","RPDBATLO","RPDBATMD","RSAGBAT","RTSTBAT")
| eval MSUFactor=(37209.3023/5/216000)
| timechart span=1d sum(cpusecs) by Rptcls
| foreach RHOTBAT RPDBATLO RPDBATMD RSAGBAT RTSTBAT [ eval <<FIELD>>_MSUs=<<FIELD>> * MSUFactor ]
| addcoltotals

  Note that <<FIELD>> is literal, not a placeholder. 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...