Splunk Search

Showing baseline result relative to other results

jrjarcher
New Member

I have a line chart that plots results for a bunch of tests. One of the tests is a "baseline" result. Each result includes a value that indicates the baseline to compare with.

I currently have a query that looks something like:

<search base="First_Base_Search">
          <query>| stats perc50("Variables.Xmetrics.totalCpuUtilizationSeconds") as "50th Percentile" by "Variables.deviceBuild"</query>
        </search>

How can I modify the query to plot the baseline result? There is a variable called: "Variables.baselineBuild", so I can search for the baseline result and get its Variables.Xmetrics.totalCpuUtilizationSeconds.

I just don't know SPL well enough to wrap my head around how I can do this secondary query and then reference it when drawing the chart UI element.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

I'm assuming that the baselineBuild value is the same field format as the deviceBuild, and refers to one of the deviceBuilds

Try this -

| stats 
    perc50("Variables.Xmetrics.totalCpuUtilizationSeconds") as BuildP50 
    max("Variables.baselineBuild") as Baseline
    by "Variables.deviceBuild"

| appendpipe 
    [| table "Variables.deviceBuild" BuildP50 
     | rename "Variables.deviceBuild" as Baseline
     | stats max(BuildP50) as BaselineP50 by Baseline
     | eval killme="killme"]

| eventstats max(BaselineP50) as BaselineP50 by Baseline
| where isnull(killme) 

| table "Variables.deviceBuild" BuildP50 Baseline BaselineP50 

Although it seems to me that the complex names in the stats command should use single quotes, and I much prefer to get rid of them before doing any real SPL coding.

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...