Good afternoon Guru's,
I just was put into a position to teach myself how to splunk. I don't have experience with this kind of query type language and it's bringing me to my knees. Here's my query...there is a selected index and everything works perfectly except when I add in a simple division statement...then it says the query is malformed but pretty sure that's not the case at all: I'm trying to get the percentage of events that the response_time is greater than 2 standard deviations:
index="myIndex"
| eventstats avg(response_time) as Average_Response_Time stdev(response_time) as Standard_Deviation count(response_time) as Total_Count
| eval calc = Average_Response_Time+(2*Standard_Deviation)
| eval 2xStd = if(response_time>calc, 1, 0)
| eventstats sum(2xStd) as 2times
| eval percent = 2times/Total_Count
| table response_time Average_Response_Time Standard_Deviation
Hi @michaelhaedt
for division statments instead of using 2times filed, can you use times2 or any name which doesnot start with number,
| eval percent = 2times/Total_Count
index="myIndex"
| eventstats avg(response_time) as Average_Response_Time stdev(response_time) as Standard_Deviation count(response_time) as Total_Count
| eval calc = Average_Response_Time+(2*Standard_Deviation)
| eval 2xStd = if(response_time>calc, 1, 0)
| eventstats sum(2xStd) as times2
| eval percent = times2/Total_Count
| table response_time Average_Response_Time Standard_Deviation
Thank you folks, this really had me bent. I'm sure I'll have many more questions 🙂
You could try enclosing the field name in single quotes (not double quotes) when referring to the field
index="myIndex"
| eventstats avg(response_time) as Average_Response_Time stdev(response_time) as Standard_Deviation count(response_time) as Total_Count
| eval calc = Average_Response_Time+(2*Standard_Deviation)
| eval 2xStd = if(response_time>calc, 1, 0)
| eventstats sum('2xStd') as 2times
| eval percent = '2times'/Total_Count
| table response_time Average_Response_Time Standard_Deviation
Hi @michaelhaedt
for division statments instead of using 2times filed, can you use times2 or any name which doesnot start with number,
| eval percent = 2times/Total_Count
index="myIndex"
| eventstats avg(response_time) as Average_Response_Time stdev(response_time) as Standard_Deviation count(response_time) as Total_Count
| eval calc = Average_Response_Time+(2*Standard_Deviation)
| eval 2xStd = if(response_time>calc, 1, 0)
| eventstats sum(2xStd) as times2
| eval percent = times2/Total_Count
| table response_time Average_Response_Time Standard_Deviation