Showing baseline result relative to other results

jrjarcher · ‎04-06-2020

I have a line chart that plots results for a bunch of tests. One of the tests is a "baseline" result. Each result includes a value that indicates the baseline to compare with.

I currently have a query that looks something like:

<search base="First_Base_Search">
          <query>| stats perc50("Variables.Xmetrics.totalCpuUtilizationSeconds") as "50th Percentile" by "Variables.deviceBuild"</query>
        </search>

How can I modify the query to plot the baseline result? There is a variable called: "Variables.baselineBuild", so I can search for the baseline result and get its Variables.Xmetrics.totalCpuUtilizationSeconds.

I just don't know SPL well enough to wrap my head around how I can do this secondary query and then reference it when drawing the chart UI element.

DalJeanis · ‎04-10-2020

I'm assuming that the baselineBuild value is the same field format as the deviceBuild, and refers to one of the deviceBuilds

Try this -

| stats 
    perc50("Variables.Xmetrics.totalCpuUtilizationSeconds") as BuildP50 
    max("Variables.baselineBuild") as Baseline
    by "Variables.deviceBuild"

| appendpipe 
    [| table "Variables.deviceBuild" BuildP50 
     | rename "Variables.deviceBuild" as Baseline
     | stats max(BuildP50) as BaselineP50 by Baseline
     | eval killme="killme"]

| eventstats max(BaselineP50) as BaselineP50 by Baseline
| where isnull(killme) 

| table "Variables.deviceBuild" BuildP50 Baseline BaselineP50

Although it seems to me that the complex names in the stats command should use single quotes, and I much prefer to get rid of them before doing any real SPL coding.

Showing baseline result relative to other results

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...