Solved: Re: How to get the average of two fields and compa...

vtsguerrero · ‎11-12-2015

I have a simple search like

index=main sourcetype=performance Status=*
| eval Status = if(Status=="S","Success","Error")

Then I should have a count for each status, example 50 Success and 20 Errors.
Then get the average of those two counts, and finally compare this average to last event so I can get the average difference to the last event.
How can achieve this?

Thanks in advance!

woodcock · ‎11-12-2015

The basic answer is very easy; like this:

 index=main sourcetype=performance Status=* | eval Status = if(Status=="S","Success","Error") | stats count BY Status

The problem is the "compare to last event" part, which doesn't make sense to me.

View solution in original post

woodcock · ‎11-12-2015

The basic answer is very easy; like this:

 index=main sourcetype=performance Status=* | eval Status = if(Status=="S","Success","Error") | stats count BY Status

The problem is the "compare to last event" part, which doesn't make sense to me.

vtsguerrero · ‎11-12-2015

This pretty much solves the problem, just need to get the average of errors and success now...

vtsguerrero · ‎11-12-2015

My data is similar to this line:

05112015ZK00S09MAIN
05112015ZK00S14MAIN
05112015ZK00E65MAIN
05102015ZK00E22MAIN
05102015ZK00S01MAIN

Where the "S" or "E" stands for Status.
So I should get the average of events with Success, the average of Errors.
They were both extracted positional regex as "Status"
How can I get the average of'em ?

sideview · ‎11-12-2015

I'm sorry but this question doesn't make any sense so I think you're just asking it in a confusing way. "the average of events with Success, the average of Errors" makes very little sense.

Do you want to end up with a single overall average success rate like 37%?

If so then
index=main sourcetype=performance Status=* | eval foo=1 | chart count over foo by Status | eval ratio=100* (S/E) | eval ratio=ratio + "%" will do the trick.

But this wouldn't incorporate your other requirement, "compare this average to last event so I can get the average difference to the last event" which still doesn't make sense.

vtsguerrero · ‎11-12-2015

Well, this person asked us to get a deviation of average status error / success, I'm not acctually sure if this is possible. He wants a red/yellow/green light indicator to show if the deviation is higher less then 30%, less then 50% or higher then 50% deviation

woodcock · ‎11-12-2015

I agree; you gave us the 1st part (sample events) but not the 2nd part (mockup of final desire).

sideview · ‎11-12-2015

Are these individual events single-line events with only one value for Status each, that then are written out in big groups of events, where each group for you constitutes some "event" in the real world?
Or are these events large multiline events with multiple values of Status in each?

woodcock · ‎11-12-2015

I do not understand. Show sample events and mockup of desired final data.

How to get the average of two fields and compare with last event?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!