Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ratio using src_bytes instead of count for two fields

jaywilwk
Engager
‎09-04-2013 07:42 AM

how can I do a ratio search not based on count, but based on src_bytes (inbound traffic) to get a ratio for two fields. For example, I want to do a ratio of two categories Shopping sites to Search Engine sites, but not by count but by bandwidth (src_bytes).

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

srioux
Communicator
‎09-05-2013 05:54 AM

You didn't give us a lot to go on.

Assuming that the two record types would have differing sourcetype (which they might not), the following should work:

...your base search search here... | stats sum(src_bytes) AS Size by sourcetype

That would create a sum of the values in src_bytes, using sourcetype as a grouping, over the timeframe of your search. If you have another field differentiating the two categories, you should be able to use that instead of sourcetype.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

srioux
Communicator
‎09-05-2013 05:54 AM

You didn't give us a lot to go on.

Assuming that the two record types would have differing sourcetype (which they might not), the following should work:

...your base search search here... | stats sum(src_bytes) AS Size by sourcetype

That would create a sum of the values in src_bytes, using sourcetype as a grouping, over the timeframe of your search. If you have another field differentiating the two categories, you should be able to use that instead of sourcetype.

0 Karma
Reply
Solved! Jump to solution

srioux
Communicator
‎09-09-2013 11:25 AM

Try:
index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | stats sum(eval(round(if(Category="IBC",src_bytes,0)/1024/1024,2))) AS IBC_MB, sum(eval(round(if(Category="Non-IBC",src_bytes,0)/1024/1024,2))) AS Non_IBC_MB by base | eval Ratio=IBC_MB/Non_IBC_MB

0 Karma
Reply
Solved! Jump to solution

jaywilwk
Engager
‎09-09-2013 09:12 AM

I have a question. On the first ratio search you sent, is it possible to have the search show like this:
base IbC Non-IbC Ratio of IbC/Non-IbC
base a 22 23 0.96
base b 6 7 0.86
base c 25 26 0.96

0 Karma
Reply
Solved! Jump to solution

jaywilwk
Engager
‎09-05-2013 10:12 AM

that GET/POST one I sent you showed results like this:
base POST GET RATIO OF GET/POST
1. base a 9 9 1
2. base b 6 2 0.33
3. base c 2 3 1.50

0 Karma
Reply
Solved! Jump to solution

srioux
Communicator
‎09-05-2013 09:59 AM

I don't know what your results look like, so not sure. That said, here's another search which should give you a ratio:

index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | stats sum(eval(round(if(Category="IBC",src_bytes,0)/1024/1024,2))) AS IBC_MB, sum(eval(round(if(Category="Non-IBC",src_bytes,0)/1024/1024,2))) AS Non-IBC_MB | eval Ratio=IBC_MB/Non-IBC_MB

0 Karma
Reply
Solved! Jump to solution

jaywilwk
Engager
‎09-05-2013 08:31 AM

Is it possible to have it setup like this? I'm mainly concern with the layout of the results. The results of this shows a list of bases with the post, gets and the ratio of get/post:
index=proxysg sourcetype=proxysg | stats count(eval(method="POST")) as POST, count(eval(method="GET")) AS GET by base | eval RATIO OF GET/POST=(GET/POST

0 Karma
Reply
Solved! Jump to solution

jaywilwk
Engager
‎09-05-2013 07:51 AM

The results shown was the two Category's IBC, Non-IBC along with Bytes field and MB field.

0 Karma
Reply
Solved! Jump to solution

srioux
Communicator
‎09-05-2013 07:44 AM

Try:

index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | stats sum(src_bytes) AS Bytes by Category | eval MB=round(Bytes/1024/1024,2)

The ratios may need to be calculated once we've appropriately categorized the data.

0 Karma
Reply
Solved! Jump to solution

jaywilwk
Engager
‎09-05-2013 07:37 AM

Category is an extracted field. This search didn't work for me at all. This is the basic search I started out with manipulating to try to yield some results.

0 Karma
Reply
Solved! Jump to solution

srioux
Communicator
‎09-05-2013 07:28 AM

Is 'category' a field in your raw data, do you have it extracted, or is that piece of the search still pending? Can you provide a few sample records (anonymize the data set as required).

There are likely a few ways to get what you're looking for.

0 Karma
Reply
Solved! Jump to solution

jaywilwk
Engager
‎09-05-2013 07:16 AM

Here's what i'm trying to do. I'm trying to get a ratio of events within a category, but I'm only concern with two events. One event is in the category IBC. The other events I want to consolidate those into one event in the category, to get a ratio of IBC to Non IBC traffic by src_bytes.
index=proxysg sourcetype=proxysg | stats sum(src_bytes) as MB by category | eval MB=round(MB/1024/1024,2) | category!=IBC Allow* as Non-Ibc, category=IBC Allow as IbC Allow

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...