I have in the Splunk logs messages with the following format:
LogService product id=1 price=10.00 numberOfClients=4 profit=5.00
I need to create a query that will find all the records from the last day and will calculate:
sum(price * numberOfClients)/sum(profit),
and will trigger alerts if the result is not within [0.2, 0.8], where sum is the sum of the values for all the logged messages.
I have tried several ways of doing it, but it didn't work. Please advise.
The following search will create the calculation and will return result only if the result was below 0.2 or above 0.8
index=...
|stats sum(price * numberOfClients) as A sum(profit) as B
|eval C=A/B
|where C<0.2 OR C>0.8