Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use eval with mstats

nouraali
Explorer
‎08-18-2021 01:42 AM
Hi,

I want to run something similar to the below on metrics data stored in metrics index, can you please assist:
eval ip34 = if(ip=="37.25.139.34",1,0) ,ip35 = if(ip=="37.25.139.35",1,0)
| mstats sum(ip34) , sum(ip35) ,
         avg(bytes) , stdev(bytes) , median(bytes) 
         avg(response_time_s) , stdev(response_time_s) , median(response_time_s) 
  where index=sfp_metrics earliest=-5m@m latest=@m span=1m by uri

 It gives me:

nouraali_0-1629275967777.png

Any idea how to achieve this would be appreciated.

 

Best Regards,

Labels (1)
Labels
Tags (3)
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-18-2021 07:36 PM

Hi @nouraali 

Never tried mstats your SPL need a change, try this 

| mstats count(eval(ip=="37.25.139.34")) as ip34 , count(eval(ip=="37.25.139.35")) as ip35 ,
         avg(bytes) , stdev(bytes) , median(bytes) 
         avg(response_time_s) , stdev(response_time_s) , median(response_time_s) 
  where index=sfp_metrics earliest=-5m@m latest=@m span=1m by uri 
| eventstats sum(ip34) as ip34, sum(ip35) as ip35 by uri 
| table ip* avg* std* med* uri

 

Tags (2)
0 Karma
Reply

nouraali
Explorer
‎08-19-2021 02:11 AM

This gives me the below errors:

nouraali_0-1629364286710.png

 

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-19-2021 04:44 AM

| mstats seems doesn't support stats style eval aggr functions. How about changing to stats?

index=sfp_metrics earliest=-5m@m latest=now
| bin span=1m _time
| stats count(eval(ip=="37.25.139.34")) as ip34, count(eval(ip=="37.25.139.35")) as ip35,avg(bytes),stdev(bytes),median(bytes),avg(response_time_s),stdev(response_time_s),median(response_time_s) by _time, uri 
| eventstats sum(ip34) as ip34, sum(ip35) as ip35 by uri 
| table ip* avg* std* med* uri
0 Karma
Reply

nouraali
Explorer
‎08-27-2021 02:51 AM

This works only on events index, while the data i am searching is stored in metrics index.

nouraali_0-1630057871689.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...