Re: How to use eval with mstats

nouraali · ‎08-18-2021

Hi,

I want to run something similar to the below on metrics data stored in metrics index, can you please assist:

eval ip34 = if(ip=="37.25.139.34",1,0) ,ip35 = if(ip=="37.25.139.35",1,0)
| mstats sum(ip34) , sum(ip35) ,
         avg(bytes) , stdev(bytes) , median(bytes) 
         avg(response_time_s) , stdev(response_time_s) , median(response_time_s) 
  where index=sfp_metrics earliest=-5m@m latest=@m span=1m by uri

It gives me:

Any idea how to achieve this would be appreciated.

Best Regards,

venkatasri · ‎08-18-2021

Hi @nouraali

Never tried mstats your SPL need a change, try this

| mstats count(eval(ip=="37.25.139.34")) as ip34 , count(eval(ip=="37.25.139.35")) as ip35 ,
         avg(bytes) , stdev(bytes) , median(bytes) 
         avg(response_time_s) , stdev(response_time_s) , median(response_time_s) 
  where index=sfp_metrics earliest=-5m@m latest=@m span=1m by uri 
| eventstats sum(ip34) as ip34, sum(ip35) as ip35 by uri 
| table ip* avg* std* med* uri

nouraali · ‎08-19-2021

This gives me the below errors:

venkatasri · ‎08-19-2021

| mstats seems doesn't support stats style eval aggr functions. How about changing to stats?

index=sfp_metrics earliest=-5m@m latest=now
| bin span=1m _time
| stats count(eval(ip=="37.25.139.34")) as ip34, count(eval(ip=="37.25.139.35")) as ip35,avg(bytes),stdev(bytes),median(bytes),avg(response_time_s),stdev(response_time_s),median(response_time_s) by _time, uri 
| eventstats sum(ip34) as ip34, sum(ip35) as ip35 by uri 
| table ip* avg* std* med* uri

nouraali · ‎08-27-2021

This works only on events index, while the data i am searching is stored in metrics index.

How to use eval with mstats

eval

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor