topic Re: Search query and calcs for dashboard presentation in Splunk Search

Search query and calcs for dashboard presentation

brimartens — Tue, 29 Sep 2020 14:33:29 GMT

I need to be able to query two values called Success and Failed (different criteria for each), and then do some quick calcs to determine the % of Success and % of Failed and display all 4 values in a dashboard. I've created the query below which is successful at pulling Success and Failed values, but I can't figure out how to calc the % values and display them. I need to output to be

Number Column % Column
Success Success %
Failed Failed %

sourcetype="fire-ext_prd_app" isProctor=true event=firstItemLoadTime securityLevel=1 isPractice=false | stats count(event) as Success | append [search sourcetype="fire-ext_prd_app" event="ProctorCache ypass" securityLevel=1 | stats count(event) as Failed] | eval SuccessPercent=Success/( Success + Failed ) | table Success, Failed, x

The first part works fine, but the tail end needs help:
eval SuccessPercent=Success/( Success + Failed ) | table Success, Failed, x

I need to be able add the second calculation for FailedPercent=Failed/( Success + Failed ), not sure how to add that to the string. And I need to be able to display the results in the format shown above.

Any guidance would be appreciated. This can't be hard but it's somehow eluding me at this point.

Re: Search query and calcs for dashboard presentation

cmerriman — Wed, 21 Jun 2017 23:52:42 GMT

Try adding this after your append search.

  |eval Status=if(isnotnull(Success),"Success","Failed")
    |eval StatusCount=coalesce(Success,Failed)
    |eventstats sum(StatusCount) as total
    |eval StatusPerc=StatusCount/total*100
|fields - Success - Failed

Re: Search query and calcs for dashboard presentation

somesoni2 — Thu, 22 Jun 2017 03:21:47 GMT

I would try like this. No subsearch/append.

sourcetype="fire-ext_prd_app" securityLevel=1 (isProctor=true event=firstItemLoadTime  isPractice=false) OR ( event="ProctorCache ypass") 
| eval Failed=if(event="ProctorCache ypass",1,0) 
| eval Success=abs(1-Failed)
| stats  sum(Success) as Success sum(Failed) as Failed
| eval "Success%"=Success*100/(Success-Failed)
| eval "Failed%"=Failed*100/(Success-Failed)

Re: Search query and calcs for dashboard presentation

woodcock — Fri, 23 Jun 2017 09:34:12 GMT

Like this:

(index=YesYouShouldBeSpecifyingAnIndex sourcetype="fire-ext_prd_app" isProctor=true event="firstItemLoadTime" securityLevel=1 isPractice=false) OR (index=IMeanItYouShouldBeSpecifyingAnIndex sourcetype="fire-ext_prd_app" event="ProctorCache ypass" securityLevel=1)
| stats count AS Total count(eval(event="ProctorCache ypass")) AS Failed | eval Success = Total - Failed
| eval SuccessPercent=100 * Success / Total
| eval FailedPercent=100 * Failed / Total