Splunk Search

After applying the stats percentile function to the daily max per sourcetype, how do I format the resulting table to create more fields?

HattrickNZ
Motivator

If I have the following, the max per day per sourcetype:

index=_internal sourcetype=*  sourcetype=splunkd | timechart  span=d count(series) as t count(file) as t2 by sourcetype

_time        t2: splunkd    t: splunkd
2015-08-28  0             949
2015-08-29  0             0
2015-08-30  0             0
2015-08-31  42           13891
2015-09-01  17           13497

Then I want to apply the percentile function to these daily maxes (there might be a better way of doing this):

index=_internal sourcetype=*  sourcetype=splunkd | timechart  span=d count(series) as t count(file) as t2 by sourcetype | stats perc90(*) as *

t2: splunkd    t: splunkd
42           13891

Then I want to somehow get it to this because I want to create more fields e.g. t3=t*100/t2

sourcetype  t2  t
splunkd 42  13891

Can this be done?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

This should give you what you need

index=_internal sourcetype=splunkd 
| bucket span=1h _time | stats count(series) as t count(file) as t2 by _time,sourcetype | stats perc90(*) as * by sourcetype | eval t3=t*100/t2

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This should give you what you need

index=_internal sourcetype=splunkd 
| bucket span=1h _time | stats count(series) as t count(file) as t2 by _time,sourcetype | stats perc90(*) as * by sourcetype | eval t3=t*100/t2
0 Karma

HattrickNZ
Motivator

tks, that's exactly what I want

and just for my reference and if you would like to clarify/comment.

the 2 searchs below give similar outputs, but i guess using the bucket option with stats gives more flexibility that timechart in this regard

index=_internal sourcetype=splunkd | bucket span=d _time | stats count(series) as t count(file) as t2 by _time,sourcetype

_time   sourcetype  t   t2
2015-08-31 00:00:00 splunkd 13891   42
2015-09-01 00:00:00 splunkd 25797   21
2015-09-02 00:00:00 splunkd 10881   17

index=_internal sourcetype=* sourcetype=splunkd | timechart span=d count(series) as t count(file) as t2 by sourcetype

_time   t2: splunkd t: splunkd
2015-08-31  42  13891
2015-09-01  21  25797
2015-09-02  17  10698
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...