Reputation: 5256
I have in the Splunk logs messages with the following format:
LogService product id=1 price=10.00 numberOfClients=4 profit=5.00
I need to create a query that will find all the records from the last day and will calculate:
sum(price * numberOfClients)/sum(profit),
and will trigger alerts if the result is not within [0.2, 0.8], where sum is the sum of the values for all the logged messages.
I have tried several ways of doing it, but it didn't work. Please advise.
Upvotes: 1
Views: 2051
Reputation: 186
The following search will create the calculation and will return result only if the result was below 0.2 or above 0.8
index=...
|stats sum(price * numberOfClients) as A sum(profit) as B
|eval C=A/B
|where C<0.2 OR C>0.8
Upvotes: 2