- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to calculate the monthly wise data if we have ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to calculate the monthly wise data if we have data from (1jan 2018 to sep 31).
Hello everyone.
Want to display the output only for the time which crosses 18 months (earliest time)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
host=sbej* sourcetype=kekc_thjs R=* index=perf earliest=1514764800 latest=1538265600
| eval host_type=case(host LIKE "%wad%", "WAd") | bin span=1mon _time
| streamstats count as Request by host_type, _time
| eval RequestsPerMin=Request/24*30/60
| eval RequestsPerSec=RequestsPerMin/60
|stats count(R) as Requests avg(RequestsPerSec) as AvgRequestsPerSec, max(RequestsPerSec) as MaxRequestsPerSec, p95(RequestsPerSec) as P95RequestsPerSec by _time host_type
|eval AvgRequestsPerSec=round(AvgRequestsPerSec,2), MaxRequestsPerSec=round(MaxRequestsPerSec,2), P95RequestsPerSec=round(P95RequestsPerSec,2)
|sort -MaxRequestsPerSec, -P95RequestsPerSec
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try. Since every month doesn't have same number of days, we'll actually calculate averages at hour level and then aggregating them at month level.
host=sbej* sourcetype=kekc_thjs R=* index=perf earliest=1514764800 latest=1538265600
| eval host_type=case(host LIKE "%wad%", "WAd") | bin span=1d _time
| stats count as Request by host_type, _time
| eval RequestsPerMin=round(Request/(24*60),2)
| eval RequestsPerSec=round(RequestsPerMin/60,2)
| eval Month=strftime(_time,"%B")
|stats sum(Request) as Requests avg(RequestsPerSec) as AvgRequestsPerSec, max(RequestsPerSec) as MaxRequestsPerSec, p95(RequestsPerSec) as P95RequestsPerSec by Month host_type
| foreach Avg* [ eval <<FIELD>>=round('<<FIELD>>',2) ]
|sort -MaxRequestsPerSec, -P95RequestsPerSec
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whats the expected output? what all columns you want to see?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I were you, I would start with the base search and also change that streamstats to stats, just to see how it behaves. If that gives you the expected result then you can move forward. Can you please try this and let me know the output?
host=sbej* sourcetype=kekc_thjs R=* index=perf earliest=1514764800 latest=1538265600
| eval host_type=case(host LIKE "%wad%", "WAd") | bin span=1mon _time
| stats count as Request by host_type, _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Rajhemant26,
Why don't you create a use field date_month which is already availabe by default. Based on that you can use stats command to club event by month.
Thanks.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
