Solved: Weight host using lookup table.

jevenson · ‎04-15-2013

I'm trying to get a weighted ratio of errors per server. I have a lookup table like this:

host,percent
server1,25
server2,25
server3,50

Normally I'd do something like sourcetype=iis sc_status=500 [| inputlookup ratio | fields host] | chart count by host, which gives me a count of errors by server, but I want a weighted count based on that percent.

How would I use the lookup table to multiply the errors on a per server basis?

Ayn · ‎04-15-2013

Hi! 🙂

So, if what you want to do it multiply the count by the defined percent value for each of these hosts, you could do something like:

sourcetype=iis sc_status=500 [| inputlookup ratio | fields host] | lookup yourlookuptable host OUTPUT percent | chart count by host | eval weightedcount=count*percent/100

View solution in original post

Ayn · ‎04-15-2013

Hi! 🙂

So, if what you want to do it multiply the count by the defined percent value for each of these hosts, you could do something like:

sourcetype=iis sc_status=500 [| inputlookup ratio | fields host] | lookup yourlookuptable host OUTPUT percent | chart count by host | eval weightedcount=count*percent/100

Weight host using lookup table.

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

Weight host using lookup table.

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!