index=myvmr_main sourcetype="dbinput:solarwindsmyVMRQosQueue" |
eval total_packet=if(match(Stats_Name, "Pre-Policy"), SUM_of_Bytes, null())|
eval packet_drop=if(match(Stats_Name, "Drops"), SUM_of_Bytes, null())|
streamstats window=2 values(total_packet) as total, values(packet_drop) as dropVal by NodeName
|search dropVal > 0|
eval drop_perc=round((dropVal/total)*100,2)|
bin span=30m _time | chart avg(drop_perc) as "Drop %" by NodeName
Hey @vijayparthasarathy,
index=myvmr_main sourcetype="dbinput:solarwindsmyVMRQosQueue"
Filtering "dbinput:solarwindsmyVMRQosQueue" events from myvmr_main index.
| eval total_packet=if(match(Stats_Name, "Pre-Policy"), SUM_of_Bytes, null())
| eval packet_drop=if(match(Stats_Name, "Drops"), SUM_of_Bytes, null())
Evaluation functions match(SUBJECT, "REGEX") -This function returns TRUE or FALSE based on whether REGEX matches SUBJECT.
have a look at this example for more information.
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/ConditionalFunctions#match.28SUBJE...
| streamstats window=2 values(total_packet) as total, values(packet_drop) as dropVal by NodeName
Streamstats - Adds cumulative summary statistics to all search results in a streaming manner
window - Specifies the number of events to use when computing the statistics
have a look at streamstats doc.
| search dropVal > 0
Filtering results where dropVal > 0
| eval drop_perc=round((dropVal/total)*100,2)*
calculating percentage
| bin span=30m _time
Create a bucket of _time with span of 30m
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Bin
| chart avg(drop_perc) as "Drop %" by NodeName
Calculating average of percentage by nodename.
Well you can see results after each pipe and look at the changes happening .
let me know if this helps!
Hi,
eval total_packet=if(match(Stats_Name, "Pre-Policy"), SUM_of_Bytes, null())
You are creating a new field called total_packet. The value of the field is conditioned to the field stats_name.
If the field stats_name is equal to Pre-policy, the values of the new field total_packet will be equal to SUM_of_Bytes and if not it will be null.
eval packet_drop=if(match(Stats_Name, "Drops"), SUM_of_Bytes, null())
You are creating a new field called packet_drop. The value of the field is conditioned to the field stats_name.
If the field stats_name is equal to Drops, the values of the new field total_packet will be equal to SUM_of_Bytes and if not it will be null.
streamstats window=2 values(total_packet) as total, values(packet_drop) as dropVal by NodeName
this command will create two new fields for the last 2 events seen in a streaming manner by nodename.
total which is the values of the new fields total_packet
dropval which is the values of the new fields packet_drop
eg:
Consider the nodename as your clientIP
Consider total_packet as bytes
consider total as ASimpleSumOfBytes
|search dropVal > 0
You are filtering results with value greater than 0 of the field dropval
eval drop_perc=round((dropVal/total)*100,2)
Calculating the percentage of drop packets and adding the value in a new field called drop_perc.
bin span=30m _time
You are searching of periods of 30 min.
Meaning if you ran this search for the last 4 hours, you will be calculating the above fields per 30 min meaning you will have 8 results. ( 8 * 30min = 4 hours)
| chart avg(drop_perc) as "Drop %" by NodeName
Final result: a chart with the X-axis being the average of the percentage field created above drop_perc and the Y-axis the Nodename.
I had this will help you.
Evaluating total packets drop by node name every 30minutes