Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is the following calculation possible ?

luckyman80
Path Finder
‎01-31-2019 02:38 AM

I'm currently generating an AvgTime of processing cycles in a thread within a 5 min duration and writing these out to a log similar to this

[PrepareEvents, DispatchAll]

PrepareEvents samples Avg: 2757ns; Median: 1411ns; Max: 1533433ns; Total Events: 277138; Total Items: 314155

I want to perform the following calculation so i find out how many average ns i've spent processing cycles in the 5min duration

avgTime (multiply i cant add star here) Total items * 100 / (5 min in nanos

Can i do this in splunk ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-31-2019 02:47 AM

Hi @luckyman80

Does this do what you need: <your search> | rex "Avg:\s*(?<avg>\d+)ns;\s*Median:\s*(?<median>\d+)ns;\s*Max:\s*(?<max>\d+)ns;\s*Total Events:\s*(?<total_events>\d+);\s*Total Items:\s*(?<total_items>\d+)" | eval result = (avg * total_items) / 300000000000

All the best, Chris.

View solution in original post

Reply
Solved! Jump to solution

luckyman80
Path Finder
‎01-31-2019 03:32 AM

actually i see the issue. it seems the percentage calculation is missing from your first example

Total items * 100

how do I make this a percentage ?

0 Karma
Reply
Solved! Jump to solution

DMohn
Motivator
‎01-31-2019 03:42 AM

If you just need the results to be displayed as a percentage you can add a | eval result = result." %" to the search string.

This can even be used for rounding down if needed: |eval result = round(result,2)." %"

0 Karma
Reply
Solved! Jump to solution

luckyman80
Path Finder
‎01-31-2019 03:21 AM

Thanks guys this looks good one last ask .. sorry for all the questions.. do you know how to turn the result into a percentage rather then raw value ?

0 Karma
Reply
Solved! Jump to solution

luckyman80
Path Finder
‎01-31-2019 03:10 AM

Hi Chris, Thanks for your prompt response. How do I show the result from the calculation only ?

Thanks again

Paul

0 Karma
Reply
Solved! Jump to solution

DMohn
Motivator
‎01-31-2019 03:14 AM

just add a |table result to the search Chris provided!

Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-31-2019 03:13 AM

Hi Paul

<your search> | rex "Avg:\s*(?<avg>\d+)ns;\s*Median:\s*(?<median>\d+)ns;\s*Max:\s*(?<max>\d+)ns;\s*Total Events:\s*(?<total_events>\d+);\s*Total Items:\s*(?<total_items>\d+)" | eval result = (avg * total_items) / 300000000000 | table result

Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-31-2019 02:47 AM

Hi @luckyman80

Does this do what you need: <your search> | rex "Avg:\s*(?<avg>\d+)ns;\s*Median:\s*(?<median>\d+)ns;\s*Max:\s*(?<max>\d+)ns;\s*Total Events:\s*(?<total_events>\d+);\s*Total Items:\s*(?<total_items>\d+)" | eval result = (avg * total_items) / 300000000000

All the best, Chris.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...