splunk splunk-query splunk-sum splunk-calculation splunk-formula

Splunk query for division of sums of entries within a time frame

I have in the Splunk logs messages with the following format:

LogService product id=1 price=10.00 numberOfClients=4 profit=5.00

I need to create a query that will find all the records from the last day and will calculate:

sum(price * numberOfClients)/sum(profit),

and will trigger alerts if the result is not within [0.2, 0.8], where sum is the sum of the values for all the logged messages.

I have tried several ways of doing it, but it didn't work. Please advise.

Solution

The following search will create the calculation and will return result only if the result was below 0.2 or above 0.8

index=... 
|stats sum(price * numberOfClients) as A sum(profit) as B
|eval C=A/B
|where C<0.2 OR C>0.8

Regex Substitue only on a specific group - sedcmd (Splunk)
Regex to only return matches when followed by a specific word
embeding conf files into helm chart
How to create a timechart in splunk for the timestamp and extracted field?
Match regex named group up until optional word
How can I access the TraceId generated by splunk-otel-collector within an ASP.NET web application?
Splunk result in Table format
Splunk: How to compute the difference of timestamps by id?
SPLUNK: How can I count events by location with a list of SERVERNAME's?
How to represent difference between same fields from two different and simultaneous searches in a table format in Splunk?
Java 11 HttpClient - POST issue
Flume sink to Splunk?
Questions related to splunk builtin macros in correlation search
how to send the local file using splunk forwarder docker image?
A table of counts of http status by URL
How do I use a specific date/time in Splunk dashboard with earliest and latest?
Splunk - Handling a blank token for a dashboard search
Splunk - Extracting from search results using regex and aggregates
Splunk - Grouping by distinct field with stats of another field
Trying to log to Splunk using logback appender
How can I download infinite results from a Splunk Search to Export the Data
Regex extraction from Right to Left
How to use Python via AWS Lambda to send millions (large quantities of data) of events to Splunk
How to create a timechart with percentages by fields using a Splunk query?
Splunk: Show all the ids that are present in different events
How to show nested structures in Splunk table
Splunk regex filter events only one occurrence of special character
How to search a given time range for every day in Splunk?
Splunk Query to list down active users and the knowledge object created by them
choropleth map does not render in Dashboard Studio but it does in Classic Dashboards