Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use eval with mstats

nouraali
Explorer
‎08-18-2021 01:42 AM
Hi,

I want to run something similar to the below on metrics data stored in metrics index, can you please assist:
eval ip34 = if(ip=="37.25.139.34",1,0) ,ip35 = if(ip=="37.25.139.35",1,0)
| mstats sum(ip34) , sum(ip35) ,
         avg(bytes) , stdev(bytes) , median(bytes) 
         avg(response_time_s) , stdev(response_time_s) , median(response_time_s) 
  where index=sfp_metrics earliest=-5m@m latest=@m span=1m by uri

 It gives me:

nouraali_0-1629275967777.png

Any idea how to achieve this would be appreciated.

 

Best Regards,

Labels (1)
Labels
Tags (3)
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-18-2021 07:36 PM

Hi @nouraali 

Never tried mstats your SPL need a change, try this 

| mstats count(eval(ip=="37.25.139.34")) as ip34 , count(eval(ip=="37.25.139.35")) as ip35 ,
         avg(bytes) , stdev(bytes) , median(bytes) 
         avg(response_time_s) , stdev(response_time_s) , median(response_time_s) 
  where index=sfp_metrics earliest=-5m@m latest=@m span=1m by uri 
| eventstats sum(ip34) as ip34, sum(ip35) as ip35 by uri 
| table ip* avg* std* med* uri

 

Tags (2)
0 Karma
Reply

nouraali
Explorer
‎08-19-2021 02:11 AM

This gives me the below errors:

nouraali_0-1629364286710.png

 

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-19-2021 04:44 AM

| mstats seems doesn't support stats style eval aggr functions. How about changing to stats?

index=sfp_metrics earliest=-5m@m latest=now
| bin span=1m _time
| stats count(eval(ip=="37.25.139.34")) as ip34, count(eval(ip=="37.25.139.35")) as ip35,avg(bytes),stdev(bytes),median(bytes),avg(response_time_s),stdev(response_time_s),median(response_time_s) by _time, uri 
| eventstats sum(ip34) as ip34, sum(ip35) as ip35 by uri 
| table ip* avg* std* med* uri
0 Karma
Reply

nouraali
Explorer
‎08-27-2021 02:51 AM

This works only on events index, while the data i am searching is stored in metrics index.

nouraali_0-1630057871689.png

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...