Thanks for the answers! I'll add my own final solution, which is much along the lines of Stephen's in that I perform one primary search and then slice and dice the results. The really tricky part is that I want this answer more for more than one build at a time, so the only way I could figure it was to use the autoregress command to peek back at events of the "other" type and then calculate the answer only where the requisite data was available. It's pretty awesome that the Splunk query language can express this, as it's really an iterative process:
host=myhost
| extract reload=T
| search (script="vercheck.cgi" OR script="crashreport.cgi")
| stats count as startupCount by bld, script
| autoregress startupCount as crashCount
| autoregress script as prevScript
| autoregress bld as prevBld
| eval BSI=if(script="vercheck.cgi" AND prevScript="crashreport.cgi",100*(startupCount-crashCount)/startupCount,0)
| search BSI>0 AND startupCount>100
| fields + bld, BSI, startupCount, crashCount
which produces the nice, clean output:
bld BSI startupCount crashCount
1 350447 70.967742 434 126
2 350352 75.700935 107 26
In the end, I realized that the output data is sensitive to the timescale of the search, but it's not really bucketed the way the a time chart is.
Thanks again for the community support!
... View more