Splunk Search

Calculating the disk read write ratio

shabdadev
Engager

I have this below query . After the summation of values is calculated , i have to find the ratio of read versus write and have to modify this query only for that . How to do it?

index=nmon host=* type=DISKWRITE OR type=DISKREAD | stats sum(value) by type

Tags (1)
0 Karma
1 Solution

pradeepkumarg
Influencer

You can try something like this

index=nmon host=* type=DISKWRITE OR type=DISKREAD | stats sum(value) as value by type | eventstats sum(value) as total | head 1 | eval ratio = value/total

View solution in original post

0 Karma

Honey0308
Explorer

Try the following.

index=nmon host=* type=DISKWRITE OR type=DISKREAD
| stats sum(eval(type=DISKWRITE)) AS DiskWriteSum, sum(eval(type=DISKREAD)) AS DiskReadSum
| eval Ratio = round((DiskWriteSum/DiskReadSum),2)

You can omit the rounding off, if required. Hope this works fine.

0 Karma

pradeepkumarg
Influencer

You can try something like this

index=nmon host=* type=DISKWRITE OR type=DISKREAD | stats sum(value) as value by type | eventstats sum(value) as total | head 1 | eval ratio = value/total
0 Karma

shabdadev
Engager

See till here
index=nmon host=* type=DISKWRITE OR type=DISKREAD | stats sum(value) as value by type

query returns the output like this :

type sum(value)

diskread 2.3445

diskwrite 3.56666

Aftert this i want to compute the ratio of read versus write i.e diskread / diskwrite

how to do this one?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

try this

index=nmon host=* type=DISKWRITE OR type=DISKREAD 
| eval WriteValue=if(type="DISKWRITE", value,0)
| eval ReadValue=if(type="DISKREAD", value,0)
| stats count, sum(ReadValue) as ReadValue, sum(WriteValue) as WriteValue,  sum(value) as TotalValue
| eval ReadPercent=ReadValue/TotalValue
| eval WritePercent=WriteValue/TotalValue,
| eval ReadRatio=ReadValue/If(WriteValue==0,0.01,WriteValue)
| table count, ReadValue, ReadPercent, WriteValue, WritePercent, ReadRatio 

It calculates a few extra things so you can check the results. After you've verified it, you can remove anything you don't want to see.

shabdadev
Engager

Thanks a lot 🙂 .it worked

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You are quite welcome. Please accept one of the helpful answers. gpradeepkumarreddy's is fine - it got you pretty much there.

Richfez
SplunkTrust
SplunkTrust

Possibly solvable without this, but it would be easier and quicker (with far fewer false starts, probably) if we had a few of the original events to look at.

0 Karma

shabdadev
Engager

I cant provide the events . can you please provide the solution to this ......each event of diskread has a value and same is the case with diskwrite . I have to find the disk read write ratio .

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...