cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
arm3n
New Member
Member since: ‎04-21-2015
‎07-31-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-21-2015
Activity Feed
View All

Re: Exclude data if field stats percentage exceede...

by in Splunk Search
‎07-29-2020 10:21 AM
‎07-29-2020 10:21 AM
Thank you for looking at my question, @skoelpin !  I do appreciate the improved simplicity of using streamstats and eventstats in lieu of my clunky join.  However, I am still interested in a way to identify a field value that has an unnaturally high percentage and remove its data from the results altogether.   In simplest terms: If I have a thousand events coming back, and of those one unique SESSIONID value is encompassing 800 (80%) of the total SESSIONID values, I would only like to see the remaining 200 values for my result set. Thanks again! -Armen ... View more

Exclude data if field stats percentage exceeded

by in Splunk Search
‎07-28-2020 03:28 PM
‎07-28-2020 03:28 PM
Hi folks, been banging my head against this for hours and am sure I am missing something obvious.  I have tried using eval and evenstats in various iterations, but no dice. Essentially I am trying to have the below Alert/Search executed (which compares a volume of errors from one minute to the next).  The problem we've been running into, is that we have a field value SESSID that is assigned to unique sessions, and at times one "stuck" session can really muddy up this valuable canary alert for us.  My goal is to either exclude all results with an offending SESSID (e.g. where its stats percentage exceeded 10%) or just not trigger the alert for that particular minute.     host=app* LOGLEVEL=ERROR earliest=-2m@m latest=-1m@m | stats count as LastMinute | join host [search host=app* LOGLEVEL=ERROR earliest=-3m@m latest=-2m@m |bucket _time span=1m | stats count as PrevMinute ] | eval HigherThanPrevMinute=(3*PrevMinute) | where LastMinute > HigherThanPrevMinute |where LastMinute > 1000 |table LastMinute,PrevMinute       Thank you in advance! -Armen     ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-31-2020 06:59 PM