Splunk Search

How to get Eventstats Statistics based on an condition

hio77
New Member

Looking for a bit of advice on how to pull this one off.

What i'm trying to do is take some data, that also has a flag evaled into every event and work out the median only where that condition is true.

Short of a sub query, which I'm avoiding venturing into I'm pretty stuck on ideas.
Example data:

_time       Reconnections       CSW     SpeedUpperLimit     MedianDSRate        SpeedLowerLimit     PSW     ddDLMReconnection   
2018-01-01  2   2   14904   14404   13404   100.00 %    1
2018-01-02  2   2   14904   14404   13404   100.00 %    1
2018-01-03  2   2   14904   14404   13404   100.00 %    0
2018-01-04  6   5   14904   14404   13404   83.33 % 0 

This is based on the following query:

| search PACKET_TYPE=ACCESS-ACCEPT OR PACKET_TYPE=STOP | reverse |streamstats current=f Last(_time) as Last_Time |reverse | eval TimeBetweenSession = abs(_time-Last_Time) | bucket span=1d _time |  eval ReconnectionType = if(TimeBetweenSession >= $dlmsecmin$ AND TimeBetweenSession <= $dlmsecmax$, "DLM Related Resync", ReconnectionType) | eventstats median(DSL_DSRATE) AS M by _time | eval FixedLogicFlag=if(M<15000, 1, 0) |eval ReportError = if(isnull(DSL_DSRATE) OR DSL_DSRATE="", "True", "False") | eval SRU = if(FixedLogicFlag == 1,M + 500,M *1.03) | eval SRL = if(FixedLogicFlag == 1,M -1000,M *0.92)  | stats first(ReportError) AS ReportError first(FixedLogicFlag) AS FixedLogicFlag count(DSL_DSRATE) AS Reconnections count(eval( ReconnectionType == "DLM Related Resync")) AS ddDLMReconnection first(SRU) as SpeedUpperLimit median(DSL_DSRATE) AS MedianDSRate  first(SRL) as SpeedLowerLimit  count(eval(DSL_DSRATE>=SRL AND DSL_DSRATE<= SRU)) AS CSW  by  _time | eval PSW = (CSW/Reconnections) * 100 |eval Logic Outcome = if(ReportError == "True", "Inconclusive (Reporting Error)", if(Reconnections>=10,if(PSW>82, "Inconclusive", "Truckroll"),"Inconclusive(Low Reauths)")) | table _time Reconnections  CSW SpeedUpperLimit MedianDSRate SpeedLowerLimit PSW   "Logic Outcome" ddDLMReconnection
Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

... | eventstats median(field) as median by condition | eval median = case(condition="true", median)

The eventstats will calculate the median for true and the median for false, the eval will only keep the value for true and unset the other values.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...