- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- setting event occurrences in relation with each ot...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I need to set the occurences of certain log events in relation with each other.
Consider the following log entries:
event=foo
event=foo
event=foo
event=bar
event=bar
As an end result I now want to get the relation of the values 3 (number of foo events) and 2 (number of bar events), e.g. 0.66666
My current approach looks like this:
index=fooIndex (event=foo OR event=bar) | timechart span=1d count by event | eval perc = (bar/foo)*100 | table perc
But this feels a little clunky since the time dimension is not actually relevant and the timechart command is only used to put the results together into one row.
What would be the better approach to this?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for completenes this is the solution i came up with.
(inspired by: http://docs.splunk.com/Documentation/Storm/Storm/User/Moresearchexamples)
index=fooIndex | stats count(eval(event="foo")) as fooCount, count(eval(event="bar")) as barCount | eval perc = (barCount/fooCount)*100 | table fooCount, barCount, perc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for completenes this is the solution i came up with.
(inspired by: http://docs.splunk.com/Documentation/Storm/Storm/User/Moresearchexamples)
index=fooIndex | stats count(eval(event="foo")) as fooCount, count(eval(event="bar")) as barCount | eval perc = (barCount/fooCount)*100 | table fooCount, barCount, perc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I think your approach isn't bad.
Is the time dimension really completely irrelevant?. At least your results are returned in one day spans.
I think you could also use a combination of the stats and bucket command.
Greetings
Tom
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your answer, i came up with another solution that i like a bit better than the timechart one (see below).
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
