Solved: Can you help me with this subsearch Question using...

bobbieluturner · ‎10-11-2018

I have this query that uses the timewrap command that I want to insert a subsearch instead of a 'fixed' value ( 193 ) .

I can't get the subsearch to work to insert the hostcount value inplace of the fixed value of 193.

Can anyone help me solve my query?

This is my subsearch:

index=blah  host=blah | fields host | dedup host  |table host | stats count as hostcount

This is the query where I need to insert the 'hostcount' instead of the fixed value of 193:

index=wineventlogapp  EventCode=21 
| dedup host 
| timechart span=1w count(host) as Failures 
| timewrap w series=short 
| addtotals * 
| table Failures* Total 
| eval Week0%=round((193-Failures_s0)/193*100,1) 
| eval Week1%=round((193-Failures_s1)/193*100,1)  
| eval Week2%=round((193-Failures_s2)/193*100,1) 
| eval Week3%=round((193-Failures_s3)/193*100,1) 
| eval Week4%=round((193-Failures_s4)/193*100,1)
| eval Monthly%=tostring(round((('Week0%' + 'Week1%' + 'Week2%' + 'Week3%'+ 'Week4%')/5),1)) + "%" 
| eval Week0%=tostring(round((193-Failures_s0)/193*100,1)) +"%"
| eval Week1%=tostring(round((193-Failures_s1)/193*100,1)) +"%"
| eval Week2%=tostring(round((193-Failures_s2)/193*100,1)) +"%"
| eval Week3%=tostring(round((193-Failures_s3)/193*100,1)) +"%"
| eval Week4%=tostring(round((193-Failures_s4)/193*100,1)) +"%"
| rename Failures_s0 as Week1_count, Failures_s1 as Week2_count, Failures_s2 as Week3_count, Failures_s3 as Week4_count, Failures_s4 as Week5_count, Week0% as Week1_Cum%, Week1% as Week2_Cum%, Week2% as Week3_Cum%, Week3% as Week4_Cum%, Week4% as Week5_Cum%, Total as "Total Monthly SolidCore Failures", Monthly% as "Monthly SolidCore ScoreCard %" 
| table "Monthly SolidCore ScoreCard %" "Total Monthly SolidCore Failures" Week1_count Week1_Cum% Week2_count Week2_Cum% Week3_count Week3_Cum% Week4_count Week4_Cum% Week5_count Week5_Cum%

I can't get it to work - please help....

renjith_nair · ‎10-14-2018

@bobbieluturner,

Have you tried using appendcols which will give you an extra field with the desired value and then you can use it in your calculations?
For e.g.

index=wineventlogapp  EventCode=21 
 | dedup host 
 | timechart span=1w count(host) as Failures 
 | timewrap w series=short 
 | addtotals * 
 | table Failures* Total 
 | appendcols[ index=blah  host=blah | fields host | dedup host  |table host | stats count as hostcount]|filldown hostcount
 | eval Week0%=round((hostcount-Failures_s0)/hostcount*100,1)
 | .....rest of your search...

Happy Splunking!

View solution in original post

bobbieluturner · ‎10-18-2018

Both of these suggestion worked and taught me new ways to do the same thing - Thanks! Great Great information.

Would you happen to know how to get the name of the month (date_month) into the output?
Example: have the table output say "October Monthly Scorecard %" etc..

woodcock · ‎10-17-2018

You can do it like this:

| makeresults | eval count = [ search index=blah  host=blah | fields host | dedup host  |table host | stats count as hostcount | return $hostcount]
| map search="search index=wineventlogapp  EventCode=21 
| dedup host 
| timechart span=1w count(host) as Failures 
| timewrap w series=short 
| addtotals * 
| table Failures* Total 
| eval Week0%=round(($count$-Failures_s0)/$count$*100,1) 
| eval Week1%=round(($count$-Failures_s1)/$count$*100,1)  
| eval Week2%=round(($count$-Failures_s2)/$count$*100,1) 
| eval Week3%=round(($count$-Failures_s3)/$count$*100,1) 
| eval Week4%=round(($count$-Failures_s4)/$count$*100,1)
| eval Monthly%=tostring(round((('Week0%' + 'Week1%' + 'Week2%' + 'Week3%'+ 'Week4%')/5),1)) + \"%\" 
| eval Week0%=tostring(round(($count$-Failures_s0)/$count$*100,1)) +\"%\"
| eval Week1%=tostring(round(($count$-Failures_s1)/$count$*100,1)) +\"%\"
| eval Week2%=tostring(round(($count$-Failures_s2)/$count$*100,1)) +\"%\"
| eval Week3%=tostring(round(($count$-Failures_s3)/$count$*100,1)) +\"%\"
| eval Week4%=tostring(round(($count$-Failures_s4)/$count$*100,1)) +\"%\"
| rename Failures_s0 as Week1_count, Failures_s1 as Week2_count, Failures_s2 as Week3_count, Failures_s3 as Week4_count, Failures_s4 as Week5_count, Week0% as Week1_Cum%, Week1% as Week2_Cum%, Week2% as Week3_Cum%, Week3% as Week4_Cum%, Week4% as Week5_Cum%, Total as \"Total Monthly SolidCore Failures\", Monthly% as \"Monthly SolidCore ScoreCard %\" 
| table \"Monthly SolidCore ScoreCard %\" \"Total Monthly SolidCore Failures\" Week1_count Week1_Cum% Week2_count Week2_Cum% Week3_count Week3_Cum% Week4_count Week4_Cum% Week5_count Week5_Cum% "

renjith_nair · ‎10-14-2018

@bobbieluturner,

Have you tried using appendcols which will give you an extra field with the desired value and then you can use it in your calculations?
For e.g.

index=wineventlogapp  EventCode=21 
 | dedup host 
 | timechart span=1w count(host) as Failures 
 | timewrap w series=short 
 | addtotals * 
 | table Failures* Total 
 | appendcols[ index=blah  host=blah | fields host | dedup host  |table host | stats count as hostcount]|filldown hostcount
 | eval Week0%=round((hostcount-Failures_s0)/hostcount*100,1)
 | .....rest of your search...

Happy Splunking!

Can you help me with this subsearch Question using Splunk's TimeWrap command?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!