Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Percentage of two calculated search values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
don't hate me @to4kawa But can you help me one last time! Ive been stuck for a few hours trying to figure out how to do this, my splunk forum searches are getting me close, but I'm not sure how to go about it... I know the below search is incorrect, but i need to come up with the "avg_kWhU" value and and the "avg_kWhP" value in one search, and then find the percentage difference between kwh used and kwh produced. for example if kWhP was 50 and kWhU was 50 Percent_powered would be 100%
i think i cant have two bins grouping by _time? I have tried many things, and seem to be stuck 😞
| where 'usage_info.d_w'>=0 or 'usage_info.solar_w'>=0
| bin _time span=1h
| stats count as samplesU sum(usage_info.d_w) as watt_sumU by _time
| eval kW_SumU=watt_sumU/1000
| eval avg_kWhU=kW_SumU/samplesU
| stats count as samplesP sum(usage_info.solar_w) as watt_sumP by _time
| eval kW_SumP=watt_sumP/1000
| eval avg_kWhP=kW_SumP/samplesP
| eval percent_powered=((avg_kWhP/avg_kWhU)100)
| table percent_powered
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try multireport
| where 'usage_info.d_w'>=0 or 'usage_info.solar_w'>=0
| bin _time span=1h
| multireport
[| stats count as samplesU sum(usage_info.d_w) as watt_sumU by _time
| eval kW_SumU=watt_sumU/1000
| eval avg_kWhU=kW_SumU/samplesU ]
[| stats count as samplesP sum(usage_info.solar_w) as watt_sumP by _time
| eval kW_SumP=watt_sumP/1000
| eval avg_kWhP=kW_SumP/samplesP ]
| selfjoin _time
| eval percent_powered=round((avg_kWhP/avg_kWhU)*100),2)
| table percent_powered
multireport has no reference.
reference:
https://www.google.com/search?q=multireport+splunk
don't hate me @to4kawa
No, I don't think so.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try multireport
| where 'usage_info.d_w'>=0 or 'usage_info.solar_w'>=0
| bin _time span=1h
| multireport
[| stats count as samplesU sum(usage_info.d_w) as watt_sumU by _time
| eval kW_SumU=watt_sumU/1000
| eval avg_kWhU=kW_SumU/samplesU ]
[| stats count as samplesP sum(usage_info.solar_w) as watt_sumP by _time
| eval kW_SumP=watt_sumP/1000
| eval avg_kWhP=kW_SumP/samplesP ]
| selfjoin _time
| eval percent_powered=round((avg_kWhP/avg_kWhU)*100),2)
| table percent_powered
multireport has no reference.
reference:
https://www.google.com/search?q=multireport+splunk
don't hate me @to4kawa
No, I don't think so.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't even know this was possible. thanks!
Fall Into Learning with New Splunk Education Courses
Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...
How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes
