How to take the result from a timechart 'sum by' a...

jhewel2495 · ‎02-10-2023

Hello, what I am trying to do in this search is sum the total CPU seconds, by report class, for a one day period. Once I have that sum, I would like to take it one step further and multiply that sum by our MSU factor to determine the MSUs used by a specific report class for any given day.

I believe what I need to do is store the result from the timechart statement as a new variable, to be able to multiply that variable by the MSUFactor. I have not had any luck in trying a combination of 'eval' statements or by leveraging the AS keyword to store the result into a variable I can further work with.

I appreciate any help you may be able to offer!

index=z* MFSOURCETYPE=SMF030 Subtype=2 `calccpusecs`
| where Rptcls IN("RHOTBAT","RPDBATLO","RPDBATMD","RSAGBAT","RTSTBAT")
| eval MSUFactor=(37209.3023/5/216000)
| timechart span=1d sum(cpusecs) by Rptcls
| addcoltotals

richgalloway · ‎02-10-2023

Try this. It cycles through each report class and uses eval to compute the MSUs used.

index=z* MFSOURCETYPE=SMF030 Subtype=2 `calccpusecs`
| where Rptcls IN("RHOTBAT","RPDBATLO","RPDBATMD","RSAGBAT","RTSTBAT")
| eval MSUFactor=(37209.3023/5/216000)
| timechart span=1d sum(cpusecs) by Rptcls
| foreach RHOTBAT RPDBATLO RPDBATMD RSAGBAT RTSTBAT [ eval <<FIELD>>_MSUs=<<FIELD>> * MSUFactor ]
| addcoltotals

Note that <<FIELD>> is literal, not a placeholder.

---
If this reply helps you, Karma would be appreciated.

How to take the result from a timechart 'sum by' and multiply it by another value?

timechart

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?