- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I get span=1m to work with eventstats in th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is my search so far.
sourcetype="spam" |eventstats count as total|search block_code="*" |eventstats count as blocked|eval blk_prcnt=round((blocked/total)*100,2)|timechart span=1m values(blk_prcnt)
It seems to print the total percentage over the last 15 minutes that I am running it on.
I thought eventstats keeps all data, but it seems like something is getting lost?
Goal is a table or chart of total, blocked, and blk_prcnt for every minute.
Was starting slow and looking to get blk_prcnt every minute, for a 15 minute interval.
TIA,
-ALF
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're filtering events ( |search block_code="*" ) and that may be reason for incomplete results. Give this a try
sourcetype="spam" |eventstats count as total, count(block_code) as blocked|eval blk_prcnt=round((blocked/total)*100,2)|timechart span=1m values(blk_prcnt)
If you want a table with blk_prcnt for calculated for each minute, you need to include time into equation . Something like this
sourcetype="spam" | timechart span=1m count as total, count(block_code) as blocked |eval blk_prcnt=round((blocked/total)*100,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're filtering events ( |search block_code="*" ) and that may be reason for incomplete results. Give this a try
sourcetype="spam" |eventstats count as total, count(block_code) as blocked|eval blk_prcnt=round((blocked/total)*100,2)|timechart span=1m values(blk_prcnt)
If you want a table with blk_prcnt for calculated for each minute, you need to include time into equation . Something like this
sourcetype="spam" | timechart span=1m count as total, count(block_code) as blocked |eval blk_prcnt=round((blocked/total)*100,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the 2nd one you gave worked, the 1st one was no different than my original one.
thank you.
I need to run this over the last year, so need to look into what commands are most efficient.
-ALF
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you need span=1m for last year as well??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, i will do span=1mon
-ALF
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think something with buckets could work for you:
sourcetype="spam"
| bucket _time span=1m
| stats count AS total, count(eval(isnotnull(block_code))) AS blocked by _time
| eval blk_prcnt=round((blocked/total)*100,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that worked Awesome, wish i understood it ????
how the hec did you get blk_prcnt into the output table?
i'm guessing the stats command put the other 2 "total" and "blocked" into the table.
Guess i got a lot of manual reading to do.
-ALF
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
