Sumo's equivalent of Splunk eventstats?
Is there a way to achieve different aggregations with different split by clauses without losing fields. In Splunk you would do this with eventstats rather than stats.
For example, if I want to find a peak rate of requests/minute of X, but want to find the 97th percentile of requests over the whole time range, I would need the following two
1. To get the peak request rate I would need something like
| timeslice 1m
| count as Count by _timeslice, X
| max(Count) as Peak by X
2. To get the percentile I would need
| pct(Y,97) as PCT97 by X
but 2 cannot be done after 1, as Y is no longer available and 1 cannot be done after 2 as _messagetime is no longer available.
In Splunk you would use eventstats to do this. How is this done with Sumo?
-
Official comment
Hi Antony,
This is possible through our join operator, however I believe an equivalent (more elegant) method is in the works.
...
| timeslice 1m
| count as Count by _timeslice
// Join current table with pct result
// Use the venerable `1 as tmp` trick for the join key.
| join (1 as tmp) as t1,
(pct(cnt, 97) as k_percentile
| 1 as tmp) as t2 on t1.tmp = t2.tmp
// Cleanup fields from join operator.
| t1__timeslice as _timeslice
| t1_cnt as cnt
| t2_k_percentile as k_percentile
| fields - t1__timeslice, t1_cnt, t1_tmp, t2_k_percentile, t2_tmpFeel free to ping me on the Slack channel if you have any further questions!
Please sign in to leave a comment.
Comments
1 comment