How to categorize search results as "good" or "bad...

vrmandadi · ‎09-09-2015

1) In the picture attached, I want to display the values >300 as good and less than 300 as bad

2) The other part is to calculate the avg of each row (i.e. (calgary+leatherhead+Melbourne)/3) and display a new column with the avg of those, and if the value is >350 it is good and less than 350 as bad

vrmandadi · ‎09-09-2015

thank you so much guys

woodcock · ‎09-10-2015

Be sure to close out the question by pickimg the answer that you like the best and clicking "Accept".

woodcock · ‎09-09-2015

Like this:

index=pams sourcetype=transaction transaction_status=Success transaction="PAMS 2GiB Read" (host=ups6z4420yh24* OR host=ldn6z442166w6* OR host=cal6z442804vy* OR host=esh6z4419fvaj*) earliest=-1d@d latest=now | eval duration=2048000/duration | eval sitecode=substr(upper(hostname),1,3) | loookup app_utc_site_lat_long.csv sitecode OUTPUTNEW site | timechart avg(duration) by site | addtotals row=t | eval cols=-2 | foreach * [eval cols=cols+1] | eval AllSiteAvg=Total/cols | fields - Total cols | foreach * [eval <<FIELD>>_status = if((<<FIELD>> > 300), "GOOD", "BAD")] | fields - _time_status

somesoni2 · ‎09-09-2015

Try something like this (fixed the timechart span to 30 mins in bucket/timechart command)

index=pams ..rest of base search host="ups... rest of host filter | eval duration=(2048/duration)*1000 | bucket span=30m _time | stats avg(duration) as duration by _time hostname | eval sitecode=substr(upper(hostname),1,3) | lookup app_utc_site_lat_long.csv sitecode OUTPUTNEW site | table _time site duration | appendpipe [| stats avg(duration) as duration by _time | eval site="TotalAvg"] | timechart span=30m avg(duration) as duration by site | eval category=if(TotalAvg>300,"Good","Bad")

somesoni2 · ‎09-09-2015

What you want to show as in good OR bad? Can you provide sample output you expect?

vrmandadi · ‎09-09-2015

if the avg of three fields calgary+leatherhead+Melbourne/3 is greater than 300 then the avg value should be displayed and it should fall in good category for example
_time calgary houston
2015-09-08 10 20

melbourne average status
30 20 good

the average of 10+20+30/3=20
since its avg is greater than 10 it is good or else it should be bad

somesoni2 · ‎09-09-2015

One final question, will it be ok for your to fix the span of timechart??

vrmandadi · ‎09-09-2015

ya so is there anything to do with that

vrmandadi · ‎09-09-2015

Hi somesh if you dont mind can i have your email id..i have seen you have almost 3 yrs exp in splunk as a dev and admin

somesoni2 · ‎09-09-2015

Sure.. it's somesh.soni@gmail.com

lguinn2 · ‎09-09-2015

There is no picture attached. Perhaps you could cut-and-paste the search query. Highlight the text of the search query, then use the 101010 icon to format it as "code" and it will look fine.

vrmandadi · ‎09-09-2015

can you see the pic now

How to categorize search results as "good" or "bad" based on values returned?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor