- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Show max ,minimum and average values from a pool o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Show max ,minimum and average values from a pool of host machines on a chart
I have the follow search which shows the call count being made to a number of hosts every 15mins
"cs_dataowner_id="ICTO-18172" cs_stage="PROD" |search source="dqs"| search "FetchTradesHistoric invoked"|timechart count as calls by host span=15m"
I want to show on a chart for each 15 min span the host which has had the max count, the minimum count and the overall average count
The purpose being it gives the user an idea of what host is being over and under utilized and allows it compare it against the average
Any ideas how I can incorporate that in a chart ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response
I'm not sure whether it down to the version of Splunk I am using , which is Splunk Version ...6.6.6.1, but the below line does not return any results
cs_dataowner_id="ICTO-18172" cs_stage="PROD" source="dqs" "FetchTradesHistoric invoked" | timechart span=15m count as calls by host
I have to use my original format below to get a resultset which it does for each host
cs_dataowner_id="ICTO-18172" cs_stage="PROD" |search source="dqs"| search "FetchTradesHistoric invoked"|timechart span=15m count as calls by host| eventstats max(calls) as max_calls min(calls) as min_calls avg(calls) as average_calls
To the above search if I then try to append the below again get no results is this a version or format issue ?
"| stats values(max_calls) as max_calls, values(min_calls) as min_calls, values(average_calls) as average_calls"
If I do the full search with the eval function included I get the syntax error below
"⚠ Error in 'stats' command: The eval expression for dynamic field 'eval(if(calls==max_calls), host, NULL)' is invalid. Error='The operator at ', host, NULL' is invalid.' "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cs_dataowner_id="ICTO-18172" cs_stage="PROD" source="dqs" "FetchTradesHistoric invoked"
| timechart span=15m count as calls by host
| eventstats max(calls) as max_calls min(calls) as min_calls avg(calls) as average_calls
| stats values(max_calls) as max_calls, values(min_calls) as min_calls, values(average_calls) as average_calls
,values(eval(if(calls==max_calls), host, NULL)) as max_calls_host
,values(eval(if(calls==min_calls), host, NULL)) as min_calls_host
,values(eval(if(calls > average_calls), host, NULL)) as over_avg_host
,values(eval(if(calls < average_calls), host, NULL)) as under_avg_host
Hi,
After timechart, calculate the maximum value etc. with eventstats and display it with stats.
How about this?
Sorry, The query was wrong.
| makeresults count=10
| streamstats count
| eval host="host_".count
| eval calls=random() % 100
`comment("This is dummy data")`
| eventstats max(calls) as max_calls min(calls) as min_calls avg(calls) as average_calls
`comment("Change stats query")`
| stats values(max_calls) as max_calls, values(min_calls) as min_calls, values(average_calls) as average_calls
,values(eval(if(calls==max_calls, host, NULL))) as max_calls_host
,values(eval(if(calls==min_calls, host, NULL))) as min_calls_host
,values(eval(if(calls > average_calls, host, NULL))) as over_avg_host
,values(eval(if(calls < average_calls, host, NULL))) as under_avg_host
I think this is all right.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
