How to take the result from a timechart 'sum by' a...

jhewel2495 · ‎02-10-2023

Hello, what I am trying to do in this search is sum the total CPU seconds, by report class, for a one day period. Once I have that sum, I would like to take it one step further and multiply that sum by our MSU factor to determine the MSUs used by a specific report class for any given day.

I believe what I need to do is store the result from the timechart statement as a new variable, to be able to multiply that variable by the MSUFactor. I have not had any luck in trying a combination of 'eval' statements or by leveraging the AS keyword to store the result into a variable I can further work with.

I appreciate any help you may be able to offer!

index=z* MFSOURCETYPE=SMF030 Subtype=2 `calccpusecs`
| where Rptcls IN("RHOTBAT","RPDBATLO","RPDBATMD","RSAGBAT","RTSTBAT")
| eval MSUFactor=(37209.3023/5/216000)
| timechart span=1d sum(cpusecs) by Rptcls
| addcoltotals

richgalloway · ‎02-10-2023

Try this. It cycles through each report class and uses eval to compute the MSUs used.

index=z* MFSOURCETYPE=SMF030 Subtype=2 `calccpusecs`
| where Rptcls IN("RHOTBAT","RPDBATLO","RPDBATMD","RSAGBAT","RTSTBAT")
| eval MSUFactor=(37209.3023/5/216000)
| timechart span=1d sum(cpusecs) by Rptcls
| foreach RHOTBAT RPDBATLO RPDBATMD RSAGBAT RTSTBAT [ eval <<FIELD>>_MSUs=<<FIELD>> * MSUFactor ]
| addcoltotals

Note that <<FIELD>> is literal, not a placeholder.

---
If this reply helps you, Karma would be appreciated.

How to take the result from a timechart 'sum by' and multiply it by another value?

timechart

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)