Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is the following calculation possible ?

luckyman80
Path Finder
‎01-31-2019 02:38 AM

I'm currently generating an AvgTime of processing cycles in a thread within a 5 min duration and writing these out to a log similar to this

[PrepareEvents, DispatchAll]

PrepareEvents samples Avg: 2757ns; Median: 1411ns; Max: 1533433ns; Total Events: 277138; Total Items: 314155

I want to perform the following calculation so i find out how many average ns i've spent processing cycles in the 5min duration

avgTime (multiply i cant add star here) Total items * 100 / (5 min in nanos

Can i do this in splunk ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-31-2019 02:47 AM

Hi @luckyman80

Does this do what you need: <your search> | rex "Avg:\s*(?<avg>\d+)ns;\s*Median:\s*(?<median>\d+)ns;\s*Max:\s*(?<max>\d+)ns;\s*Total Events:\s*(?<total_events>\d+);\s*Total Items:\s*(?<total_items>\d+)" | eval result = (avg * total_items) / 300000000000

All the best, Chris.

View solution in original post

Reply
Solved! Jump to solution

luckyman80
Path Finder
‎01-31-2019 03:32 AM

actually i see the issue. it seems the percentage calculation is missing from your first example

Total items * 100

how do I make this a percentage ?

0 Karma
Reply
Solved! Jump to solution

DMohn
Motivator
‎01-31-2019 03:42 AM

If you just need the results to be displayed as a percentage you can add a | eval result = result." %" to the search string.

This can even be used for rounding down if needed: |eval result = round(result,2)." %"

0 Karma
Reply
Solved! Jump to solution

luckyman80
Path Finder
‎01-31-2019 03:21 AM

Thanks guys this looks good one last ask .. sorry for all the questions.. do you know how to turn the result into a percentage rather then raw value ?

0 Karma
Reply
Solved! Jump to solution

luckyman80
Path Finder
‎01-31-2019 03:10 AM

Hi Chris, Thanks for your prompt response. How do I show the result from the calculation only ?

Thanks again

Paul

0 Karma
Reply
Solved! Jump to solution

DMohn
Motivator
‎01-31-2019 03:14 AM

just add a |table result to the search Chris provided!

Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-31-2019 03:13 AM

Hi Paul

<your search> | rex "Avg:\s*(?<avg>\d+)ns;\s*Median:\s*(?<median>\d+)ns;\s*Max:\s*(?<max>\d+)ns;\s*Total Events:\s*(?<total_events>\d+);\s*Total Items:\s*(?<total_items>\d+)" | eval result = (avg * total_items) / 300000000000 | table result

Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-31-2019 02:47 AM

Hi @luckyman80

Does this do what you need: <your search> | rex "Avg:\s*(?<avg>\d+)ns;\s*Median:\s*(?<median>\d+)ns;\s*Max:\s*(?<max>\d+)ns;\s*Total Events:\s*(?<total_events>\d+);\s*Total Items:\s*(?<total_items>\d+)" | eval result = (avg * total_items) / 300000000000

All the best, Chris.

Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...