https://community.splunk.com/t5/Splunk-Search/Understanding-bins-and-spans/m-p/443759#M125869 <P>look like you are making thing very difficult.<BR /> Please use the below query. it will work</P> <P>index="index" "message: end" <BR /> | timechart span=1h count as complete <BR /> | appendcols [ search index="index" "message: end" "status: failed"<BR /> | timechart span=1h count as failed ] <BR /> | eval percentage=failed*100/complete as "Failed %"</P> <P>Please let me know if any issues</P> Tue, 12 Jun 2018 08:54:51 GMT logloganathan 2018-06-12T08:54:51Z https://community.splunk.com/t5/Splunk-Search/Understanding-bins-and-spans/m-p/443758#M125868 <P>Hi,<BR /> here is a query that is supposed to calculate a % of failed operations over a period of time (A message 'end' is sent with a status that could be 'failed'). Please excuse incorrect or non technical terminology, I'm a very new to this. I am trying to make sure I understand the meaning of bin and span in this particular search. Does this mean that I'm putting all of my events into chunks by 1 hour (so all events from 11am until noon are in one bucket, all events from noon to 1pm are in the next bucket, etc). Then I calculate the total number of events per each bucket (count as complete), calculate the total number of events per each bucket where status=failed (eval(status="failed")). Then for the timechart command, I add up all these totals from each bucket over 1 day and calculate my percentage. Is that a correct understanding? Thank you!</P> <P>For example, if my data is like this:<BR /> event 1:<BR /> timestamp: June 11, 2018 9am<BR /> message: end<BR /> status: success<BR /> event 2:<BR /> timestamp: June 11, 2018 9:15am<BR /> message: end<BR /> status: failed</P> <P>event 3:<BR /> timestamp: June 11, 2018 10am<BR /> message: end<BR /> status: success<BR /> event 3:<BR /> timestamp: June 11, 2018 10:15am<BR /> message: end<BR /> status: success</P> <P>Then my failure rate % is (1+0)/(2+2)*100 = 25%, </P> <PRE><CODE>index="index" "message=end" | bin span=1h _time | stats count as complete, count(eval(status="failed")) as failed by _time | timechart span=1d eval(100*sum(eval(failed))/sum(eval(complete))) as "Failed %" </CODE></PRE> Mon, 11 Jun 2018 20:47:08 GMT https://community.splunk.com/t5/Splunk-Search/Understanding-bins-and-spans/m-p/443758#M125868 rnayshulis 2018-06-11T20:47:08Z https://community.splunk.com/t5/Splunk-Search/Understanding-bins-and-spans/m-p/443759#M125869 <P>look like you are making thing very difficult.<BR /> Please use the below query. it will work</P> <P>index="index" "message: end" <BR /> | timechart span=1h count as complete <BR /> | appendcols [ search index="index" "message: end" "status: failed"<BR /> | timechart span=1h count as failed ] <BR /> | eval percentage=failed*100/complete as "Failed %"</P> <P>Please let me know if any issues</P> Tue, 12 Jun 2018 08:54:51 GMT https://community.splunk.com/t5/Splunk-Search/Understanding-bins-and-spans/m-p/443759#M125869 logloganathan 2018-06-12T08:54:51Z