- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to aggregate the results based on the resu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to aggregate the results based on the results of the transforming command?
I'm trying to calculate the percentage of resources that are consumed by a job based on the start time of the job.
Each job has more than one event and startTime could vary in the events. So I'm considering the earliest start time of the job.
Using eventstats is not producing the events which im looking at.
stats earliest(start_time) as start_time by job, If this is replaced in the place of eventstats im getting the results what I want.
Can someone assist me on this?
index=main
| search trainId=acggalladks"
| eventstats earliest(start_time) as start_time by job
| stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job
| eval pct = round((MB/total_cpu)*100, 2)
| table pct job
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to clarify: Let us assume your events are (please add any missing fields):
job,start_time,cpu
Job A, 6am, 25
Job A, 7am, 35
Job A, 8am, 30
Job B, 8am, 10
Then what output do you want from the search?
And how do you calculate total_cpu?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The total_cpu is the common for all the events.
I'm adding another row for job B which is job B 6am
I want output to be as below.
Job A, 6am, 25 pct_value
job B, 6am, 10 pct_value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this query and it's giving me the output what im looking at. But is it possible to get the output without join command?
index=main
| search trainId="somevalue"
| join start_time
[ search index=main
| search trainId="somevalue"
| stats earliest(start_time) as start_time by job
| table start_time ]
| stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job
| eval pct = round((MB/total_cpu)*100, 2)
| table start_time pct job
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about:
index=main
| ...
| stats earliest(cpu) as total_cpu earliest(start_time) as start_time sum(cpu) as MB by job
| eval pct = ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@whrg, That way it won't work because i want the values of the start_time to be used in the by clause.
I got it solved without join but looking for an optimal way.
index=main
| search trainId="somevalue"
[ search index=main
| search trainId="somevalue"
| stats earliest(start_time) as start_time by job
| table start_time ]
| stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job
| eval pct = round((MB/total_cpu)*100, 2)
| table start_time pct job
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
remove join and see you get the same results (why you are using join),
try this, I think you are expecting below the search
index=main
| search trainId=acggalladks"
| stats earliest(cpu) as total_cpu sum(cpu) as MB by job
| eval pct = round((MB/total_cpu)*100, 2)
| table pct job
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=main
| search trainId="somevalue"
| stats earliest(start_time) as start_time by job
Whatever the output that returns by the field start_time from the above search need to be used in the by clause for the below query.
index=main
| search trainId="somevalue"
stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job
| eval pct = round((MB/total_cpu)*100, 2)
| table start_time pct job
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use map command
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
