Splunk query for division of sums of entries within a time frame

Question

I have in the Splunk logs messages with the following format:

LogService product id=1 price=10.00 numberOfClients=4 profit=5.00

I need to create a query that will find all the records from the last day and will calculate:

sum(price * numberOfClients)/sum(profit),

and will trigger alerts if the result is not within [0.2, 0.8], where sum is the sum of the values for all the logged messages.

I have tried several ways of doing it, but it didn't work. Please advise.

score 2 · Accepted Answer · answered Jan 21 '17 at 09:32

2

The following search will create the calculation and will return result only if the result was below 0.2 or above 0.8

index=... 
|stats sum(price * numberOfClients) as A sum(profit) as B
|eval C=A/B
|where C<0.2 OR C>0.8

answered Jan 21 '17 at 09:32

barkai36

The reasoning behind the query is correct, however price * numberOfClients is treated like a regex and causes an error, so I had to do a separate eval before stats just to calculate the product. – user998692 Jan 30 '17 at 21:04

1 Answers1