help on a clever stats count in order to calculate...

jip31 · ‎10-09-2019

hello

I use the search below in order to calcul a volume in %
As you can see, I first calculate events where process_cpu_used_percent>80 (before appendcols) and then I count the total number of hosts (after appendcols)
My question concern this count
What I would like to do is not to count the total number of hosts but to count only the host where process_cpu_used_percent<80
The goal is to have a more precise % because if I count the total number of hosts it might happen that some hosts are not connected on the network or might not have the UF Splunk agent installed
Could you help me please?

[| inputlookup host.csv 
    | table host] `CPU` 
| where process_cpu_used_percent>80 
| stats dc(host) as NbHostProcessSup80 
| appendcols 
    [| inputlookup host.csv 
    | stats dc(host) as NbIndHost] 
| eval Perc=round((NbHostProcessSup80/NbIndHost)*100,2)
| table Perc, NbIndHost

KailA · ‎10-09-2019

Hello,

You can use condition in your count.
Something like that

stats count(eval(process_cpu_used_percent < 80)) as NbHostProcessInf80

Let me know if it works 🙂

jip31 · ‎10-09-2019

hi
it doesnt works I have no results.....
to my mind, it miss the CPU macro after appendcols no?
I try to put it but I have the message Error in 'appendcols' command: The last argument must be a subsearch.

[| inputlookup host.csv 
    | table host] `CPU` 
| where process_cpu_used_percent>80 
| stats dc(host) as NbHostProcessSup80 
| appendcols 
    [| inputlookup host.csv  
    | stats count(eval(process_cpu_used_percent < 80)) as NbHostProcessInf80]
| eval Perc=round((NbHostProcessSup80/NbHostProcessInf80)*100,2) 
| table Perc

jip31 · ‎10-18-2019

Is anybody cant help me?

help on a clever stats count in order to calculate a volume

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor