How to categorize search results as "good" or "bad...

vrmandadi · ‎09-09-2015

1) In the picture attached, I want to display the values >300 as good and less than 300 as bad

2) The other part is to calculate the avg of each row (i.e. (calgary+leatherhead+Melbourne)/3) and display a new column with the avg of those, and if the value is >350 it is good and less than 350 as bad

vrmandadi · ‎09-09-2015

thank you so much guys

woodcock · ‎09-10-2015

Be sure to close out the question by pickimg the answer that you like the best and clicking "Accept".

woodcock · ‎09-09-2015

Like this:

index=pams sourcetype=transaction transaction_status=Success transaction="PAMS 2GiB Read" (host=ups6z4420yh24* OR host=ldn6z442166w6* OR host=cal6z442804vy* OR host=esh6z4419fvaj*) earliest=-1d@d latest=now | eval duration=2048000/duration | eval sitecode=substr(upper(hostname),1,3) | loookup app_utc_site_lat_long.csv sitecode OUTPUTNEW site | timechart avg(duration) by site | addtotals row=t | eval cols=-2 | foreach * [eval cols=cols+1] | eval AllSiteAvg=Total/cols | fields - Total cols | foreach * [eval <<FIELD>>_status = if((<<FIELD>> > 300), "GOOD", "BAD")] | fields - _time_status

somesoni2 · ‎09-09-2015

Try something like this (fixed the timechart span to 30 mins in bucket/timechart command)

index=pams ..rest of base search host="ups... rest of host filter | eval duration=(2048/duration)*1000 | bucket span=30m _time | stats avg(duration) as duration by _time hostname | eval sitecode=substr(upper(hostname),1,3) | lookup app_utc_site_lat_long.csv sitecode OUTPUTNEW site | table _time site duration | appendpipe [| stats avg(duration) as duration by _time | eval site="TotalAvg"] | timechart span=30m avg(duration) as duration by site | eval category=if(TotalAvg>300,"Good","Bad")

somesoni2 · ‎09-09-2015

What you want to show as in good OR bad? Can you provide sample output you expect?

vrmandadi · ‎09-09-2015

if the avg of three fields calgary+leatherhead+Melbourne/3 is greater than 300 then the avg value should be displayed and it should fall in good category for example
_time calgary houston
2015-09-08 10 20

melbourne average status
30 20 good

the average of 10+20+30/3=20
since its avg is greater than 10 it is good or else it should be bad

somesoni2 · ‎09-09-2015

One final question, will it be ok for your to fix the span of timechart??

vrmandadi · ‎09-09-2015

ya so is there anything to do with that

vrmandadi · ‎09-09-2015

Hi somesh if you dont mind can i have your email id..i have seen you have almost 3 yrs exp in splunk as a dev and admin

somesoni2 · ‎09-09-2015

Sure.. it's somesh.soni@gmail.com

lguinn2 · ‎09-09-2015

There is no picture attached. Perhaps you could cut-and-paste the search query. Highlight the text of the search query, then use the 101010 icon to format it as "code" and it will look fine.

vrmandadi · ‎09-09-2015

can you see the pic now

How to categorize search results as "good" or "bad" based on values returned?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!