topic Re: Query to get Percentage using two Queries. in Monitoring Splunk

Query to get Percentage using two Queries?

Deprasad — Tue, 30 Aug 2022 13:06:38 GMT

I've 2 queries, 1 will give the the total no of events and the other will give the counts by error type.
I'm trying to join the two queries so that I can get the percentage of each error type.

Query 1:
index=app "ResponseLoggingFilter" "Operation"
| stats count as Total_Transaction

Query 2:
index=app "ResponseLoggingFilter" "Operation" NOT "OK" NOT "1041"
| rex "(?:.+message\"\:\")(?<Error_Message>.+)(?:\"\,)"
| stats count by Error_Message

Re: Query to get Percentage using two Queries.

richgalloway — Tue, 30 Aug 2022 13:03:55 GMT

See if this helps

index=app "ResponseLoggingFilter" "Operation" | eventstats count as Total_Transaction | rex "(?:.+message\"\:\")(?<Error_Message>.+)(?:\"\,)" | eval Error_Message = if(match(_raw, "OK") OR match(_raw, "1041"), null(), Error_Message) | stats max(Total_Transaction) as Total_Transaction, count by Error_Message

Re: Query to get Percentage using two Queries.

Deprasad — Tue, 30 Aug 2022 14:19:55 GMT

Thanks for this query @richgalloway !

It worked. Further I added the below piece of query to get the percentage.

| eval Error_Percentage=round(100*count/Total_Transaction,2)."%"
| table Error_Message,count, Error_Percentage