https://community.splunk.com/t5/Splunk-Enterprise/Help-with-a-query-to-calculate-percentage/m-p/651139#M16858 <P>Your search looks a little odd for what you are trying to do although it does depend on your data.</P><P>Since you have _time in your by clause, it is likely that your success count is likely to be either 1 or zero, same with the inprogress count.</P><P>If you remove the _time from your by clause, you will get the counts across the whole of the time period of the search (which might be what you actually want)</P><P>You can then do an eval based on your criteria for success or failure and count those again over the time period of your search using another stats command.</P><P>Finally, you can do an eval to determine the percentage success of all the events within the time period</P> Wed, 19 Jul 2023 15:35:13 GMT ITWhisperer 2023-07-19T15:35:13Z https://community.splunk.com/t5/Splunk-Enterprise/Help-with-a-query-to-calculate-percentage/m-p/651133#M16857 <P>Hello, I am working on a query where I need to set an alert based on failure percentages. Calculating the failure percentage is the tricky part. Here is my sample query -&nbsp;</P><LI-CODE lang="markup">index=myindex (status=success OR status=inprogress) | bin _time | stats count(eval(like(status, "success"))) as success count(eval(like(status, "inprogress"))) as inprogress by id _time </LI-CODE><P>&nbsp;</P><P>The conditions for access and failure are as below -</P><P>Success -&nbsp;</P><LI-CODE lang="markup">| where success = 1 AND inprogress &gt;=1</LI-CODE><P>Failure -</P><LI-CODE lang="markup">| where success = 0 AND inprogress &gt;=1</LI-CODE><P>Now I want to create an alert based on failure percentage of 10%. How do i calculate the failure and success percentage here? The id you are seeing in the BY clause is nothing but customer ID so I'd like to get alerted based on 10% failure,</P><P>Best Regards</P> Wed, 19 Jul 2023 15:06:25 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-a-query-to-calculate-percentage/m-p/651133#M16857 sunny_871 2023-07-19T15:06:25Z https://community.splunk.com/t5/Splunk-Enterprise/Help-with-a-query-to-calculate-percentage/m-p/651139#M16858 <P>Your search looks a little odd for what you are trying to do although it does depend on your data.</P><P>Since you have _time in your by clause, it is likely that your success count is likely to be either 1 or zero, same with the inprogress count.</P><P>If you remove the _time from your by clause, you will get the counts across the whole of the time period of the search (which might be what you actually want)</P><P>You can then do an eval based on your criteria for success or failure and count those again over the time period of your search using another stats command.</P><P>Finally, you can do an eval to determine the percentage success of all the events within the time period</P> Wed, 19 Jul 2023 15:35:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-a-query-to-calculate-percentage/m-p/651139#M16858 ITWhisperer 2023-07-19T15:35:13Z https://community.splunk.com/t5/Splunk-Enterprise/Help-with-a-query-to-calculate-percentage/m-p/651150#M16859 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;Thanks for the response. I have removed the _time.</P><P>Sorry how would i create or generate an eval with the below success and failure conditions? Could you give me a guidance.,</P><P>Best Regards,<BR />Shashank</P> Wed, 19 Jul 2023 17:26:19 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-a-query-to-calculate-percentage/m-p/651150#M16859 sunny_871 2023-07-19T17:26:19Z https://community.splunk.com/t5/Splunk-Enterprise/Help-with-a-query-to-calculate-percentage/m-p/651151#M16860 <LI-CODE lang="markup">| eval status=case(success = 1 AND inprogress &gt;=1, "success", success = 0 AND inprogress &gt;=1, "failure")</LI-CODE> Wed, 19 Jul 2023 17:53:23 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-a-query-to-calculate-percentage/m-p/651151#M16860 ITWhisperer 2023-07-19T17:53:23Z