can you please help me in writing SPL query for the below scenario.
I want to calculate delta of success rate of a particular field for two servers.
I used the below query:
.....|stats values(Resp) as Resp values(Req) as Required by _time,host | eval Success_Rate= (Resp/Req)*100 |delta Success_Rate as Delta_of_Success_Rate | xyseries _time host Delta_of_Success_Rate
Here, splunk is calculating the delta according to values listed in the statistics. Can you please or correct this query to calculating delta value for each host
| makeresults
| eval temp="Time: 21:30
Total: 60 Running: 05
mt100 pool1 /root/user/bin/process1.sh
mt100 pool12 /root/user/bin/process21.deb
mt201 pool2 /root/user/bin/process321.sh
mt301 pool3 /root/user/bin/process432.deb
mt301 pool312 /root/user/bin/process52.sh"
| makemv delim="
" temp
| mvexpand temp
| rename temp as _raw
| erex processname examples="/root/user/binprocess1.sh,/root/user/bin/process21.deb"
Also please.
| makeresults count=2
| streamstats count
| eval _time=if(count=2,relative_time(_time,"-1d@m"),_time)
| makecontinuous span=1m _time
| eval host="host".(random() % 2 + 1)
| eval Resp=random() % 5 + 1, Req=random() % 5 + 1
| bin span=1h _time
| stats sum(Resp) as Resp sum(Req) as Required by _time,host
| eval Success_Rate= round((Resp/Required)*100)
| reverse
| delta Success_Rate as Delta_of_Success_Rate
| xyseries _time host Delta_of_Success_Rate
Hi, folks. I think that if you use reverse
, it works properly
Maybe this?
... | bin _time span=1h
| stats dc(Resp) AS Resp dc(Req) AS Req BY _time host
| eval Success_Rate = 100 * (Resp / Req)
| streamstats current=f last(Success_Rate) AS Next_Success_Rate BY host
| eval Delta_of_Success_Rate = Next_Success_Rate - Success_Rate
| timechart span=1h first(Delta_of_Success_Rate) AS Delta_of_Success_Rate BY host
Can you give an example and desired output?
Does it look like:
host time delta
a 1
a 2
b 1
b 2
and you want it to just be for one host? sorted by host? thanks!
My desired output should be like:
Time Delta(host 1) Delta(host 2)
I didn't sort it by host. I will try like that.
I am getting the below output:
time host sucess_rate Delta_of_sucess_rate
12/29/19 08:40 AM XM1 100
12/29/19 08:40 AM XM2 98 -2
12/29/19 08:45 AM XM1 99 1
12/29/19 08:45 AM XM2 100 1
12/29/19 08:50 AM XM1 96 -4
12/29/19 08:50 AM XM2 95 -1
The above is calculating delta incorrectly. I want to display the below desired output.
time host sucess_rate Delta_of_sucess_rate
12/29/19 08:40 AM XM1 100
12/29/19 08:45 AM XM1 99 -1
12/29/19 08:50 AM XM1 96 -3
12/29/19 08:40 AM XM2 98
12/29/19 08:45 AM XM2 100 2
12/29/19 08:50 AM XM2 95 -5
OR
time success_XM1 delta_success_host(XM1) success_XM2 delta_success_host(XM2)
12/29/19 08:40 AM 100 98
12/29/19 08:45 AM 99 -1 100 2
12/29/19 08:50 AM 96 -3 95 -5
Finally, I want to show the delta values of two hosts in one panel by time. can you please help me on this. Thanks