Splunk Search

How to select only specific events from the search to do stats on?

reachskhm
New Member

Need a way to select only specific events from the list of events, so here the example I have a query on iis logs which gives me around say 60000 events so I want to select every 12th event from the the searched 60 events to do stats on those filtered events.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

your base search | eval sno=1 | accum sno | where floor(sno/12)=(sno/12) | rest of your search
0 Karma

reachskhm
New Member

thanks for the resposne , have one more question , how to could store a event count of search so that i can do some arithmetic on it.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Not sure I get it. Do you want to count of total search results in a field so that you can do some calculation (like percentage calculation) on it?

If above is true, you can use eventstats command to add aggregation in a new field, without changing/aggregating the search results.

e.g. This will give you field totalEvents with total events before the filter.

your base search | eval sno=1 | accum sno | eventstats count as totalEvents | where floor(sno/12)=(sno/12) | rest of your search
0 Karma

reachskhm
New Member

That's similar to what I am looking for, but am facing issue here. In the above thing, I want to decide number 12 by doing math with total events:

your base search | eval sno=1 | accum sno | eventstats count as totalEvents |eval div=totalEvents /5000  |where floor(sno/div)=(sno/div) | rest of your search

but it's not giving me correct results!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you explain what exactly is your requirement? You want to take every 12th event for your stats and use the total events (before 12th event filter) and using it for what?

0 Karma

reachskhm
New Member

Need to get a sample size of 5000 events to calculate mean and Standerddeviation for each day fro last 60 days, so in order to get get a random sample of 5000 events and calculating total events and then div is the floor (totalevents/5000) Then as I get this, I am picking each event based on div (like 12 before).

I am able to get it like this:

your base search | eval sno=1 | accum sno | eventstats count as totalEvents |eval div=floor(totalEvents /5000) |where floor(sno/div)=(sno/div) | head 5000| timechart span=1d  avg(filedx) stddev(filedx).. 

Is there anything wrong with this search?

0 Karma

sundareshr
Legend

Try this
your base search | streamstats window=12 current=t count | where count=12 | stats ...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This will just exclude first 11 events

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...