Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use stats() by one value, "all" and stats() by each selected value ?

Jouman
Path Finder
‎08-22-2023 09:04 PM

Hi all,

I want to analyze the Round Trip Time and received count in Ping command for each ping packet size or for all packets.

Therefore, I use stats() as below:

 

<my basic search> `comment("generate ping_rtt_time for round trip time, ping_rcv_count for received packet count")`
| stats min(ping_*) as min_ping_*, max(ping_*) as max_ping_*, avg(ping_*) as avg_ping_*, perc20(ping_ping_*) as pr20_ping_*, perc40(ping_*) as pr40_ping_*, stdev(ping_*) as stdev_ping_* by ping_packet_size

 

 
Therefore if the user selects multi-ple packet size, ex, 40, 128 bytes, the related analysis can be provided.

But if a user wants to read analysis for all packets, that means he want to analyze all  packet size, ex, All, I can't use the same stats().
If there are 2 kinds of packet size, ex. 40 , 128 bytes, it is different between selecting 40 and 128 options in a scroll down bar with selecting "All" in the same scroll down bar.

Does anyone know how to analyze for one or multi-ple packet size and for all kinds of packet size as well ?

Thank you.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-22-2023 11:34 PM 
| eventstats min(ping_*) as min_ping_*_all, max(ping_*) as max_ping_*_all, avg(ping_*) as avg_ping_*_all, perc20(ping_*) as pr20_ping_*_all, perc40(ping_*) as pr40_ping_*_all, stdev(ping_*) as stdev_ping_*_all
| stats min(ping_*) as min_ping_*, max(ping_*) as max_ping_*, avg(ping_*) as avg_ping_*, perc20(ping_*) as pr20_ping_*, perc40(ping_*) as pr40_ping_*, stdev(ping_*) as stdev_ping_* max(min_ping_*_all) as min_ping_*_all, max(max_ping_*_all) as max_ping_*_all, max(avg_ping_*_all) as avg_ping_*_all, max(pr20_ping_*_all) as pr20_ping_*_all, max(pr40_ping_*_all) as pr40_ping_*_all, max(stdev_ping_*_all) as stdev_ping_*_all by ping_packet_size
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...