topic Re: I need to display priority data for 7 days with the percentage, however am unable to display it in 7 days. in Splunk Search

I need to display priority data for 7 days with the percentage, however am unable to display it in 7 days.

a508184 — Sun, 30 Jun 2024 18:16:25 GMT

I need to display priority data for 7 days with the percentage, however am unable to display it in 7 days. My below query works for a days search but doesn't displays for 7 days. Could you please help with fixing the query.

Below is my query.

| multisearch
[ search index=myindex source=mysoruce "* from *" earliest=-7d@d latest=@d
| fields TRN, tomcatget, Queue ]
[ search index=myindex source=mysoruce *sent* earliest=-7d@d latest=@d
| fields TRN, TimeMQPut, Status]
[ search index=myindex source=mysoruce *Priority* earliest=-7d@d latest=@d
| fields TRN,Priority ]
| stats values(*) as * by TRN
| eval PPut=strptime(tomcatput, "%y%m%d %H:%M:%S")
| eval PGet=strptime(tomcatget,"%y%m%d %H:%M:%S")
| eval tomcatGet2tomcatPut=round((PPut-PGet),0)
| fillnull value="No_tomcatPut_Time" tomcatput
| fillnull value="No_tomcatGet_Time" tomcatget
| table TRN, Queue, BackEndID, Status, Priority, tomcatget, tomcatput, tomcatGet2tomcatPut
| eval E2E_5min=if(tomcatGet2tomcatPut<=300,1,0)
| eval E2E_20min=if(tomcatGet2tomcatPut>300 and tomcatGet2tomcatPut<=1200,1,0)
| eval E2E_50min=if(tomcatGet2tomcatPut>1200 and tomcatGet2tomcatPut<=3000,1,0)
| eval E2EGT50min=if(tomcatGet2tomcatPut>3000,1,0)
| eval Total = E2E_5min + E2E_20min + E2E_50min + E2EGT50min
| stats sum(E2E_5min) as sum_5min sum(E2E_20min) as sum_20min sum(E2E_50min) as sum_50min sum(E2EGT50min) as sum_50GTmin sum(Total) as sum_total by Priority
| eval bad = if(Priority="High", sum_20min + sum_50min + sum_50GTmin, if(Priority="Medium", sum_50min + sum_50GTmin, if(Priority="Low", sum_50GTmin, null())))
| eval good = if(Priority="High", sum_5min, if(Priority="Medium", sum_5min + sum_20min, if(Priority="Low", sum_5min+ sum_20min + sum_50min, null())))
| eval per_cal = if(Priority="High", (good / sum_total) * 100, if(Priority="Medium", (good / sum_total) * 100, if(Priority="Low", (good / sum_total) * 100, null())))
| table Priority per_cal

looking to get output in below format.

Re: I need to display priority data for 7 days with the percentage, however am unable to display it in 7 days.

PickleRick — Sun, 30 Jun 2024 18:29:19 GMT

It's not a very good search to begin with (unneeded multisearch and wildcard-beginning search terms) so maybe show a sample (anonymized if needed) of your data and a description of what you need to get from it. That might be easier than "fixing" this one.

Re: I need to display priority data for 7 days with the percentage, however am unable to display it in 7 days.

a508184 — Sun, 30 Jun 2024 19:18:50 GMT

Thanks PickleRick, I get each field details from different sources, my bad I updated the same source for all the searches, actually those are different.

Re: I need to display priority data for 7 days with the percentage, however am unable to display it in 7 days.

ITWhisperer — Sun, 30 Jun 2024 19:29:33 GMT

Apart from the problems already identified by @PickleRick you should do as advised and provide anonymised representative examples of your events and a description of what it is you are trying to do, because your current approach does not look very performant or even workable.

If you want daily statistics, you should include some sort of time factor in your by clause

| bin _time span=1d | stats values(*) as * by _time, TRN

Re: I need to display priority data for 7 days with the percentage, however am unable to display it in 7 days.

a508184 — Sun, 30 Jun 2024 20:56:55 GMT

below are the logs.

source=gettomcat
240628 05:59:41 6677 gettomcat: ===> TRN@q1: abbb-acabca-adste112 [Priority=Medium].
240628 05:59:41 6677 gettomcat: <--- TRN: abbb-acabca-adste112 - S.

source=puttomcat
240628 05:59:58 32296 puttomcat: ---> TRN: abbb-acabca-adste112 - Done.

From the gettomcat source extracted the priority and time, from the puttomcat i have extracted the time, i did a calculation to see the round trip of a request and also percentage of passed request.

Now i need to disable as per the below screenshot. Priority, percentage of each prioirty per day for the last 7 days.

Re: I need to display priority data for 7 days with the percentage, however am unable to display it in 7 days.

ITWhisperer — Mon, 01 Jul 2024 04:09:02 GMT

From you query, it looks like you have already extracted TRN, tomcatget, Queue, TimeMQPut, Status, and Priority; is this correct?

Is tomcatput the same as TimeMQPut?

I assume a success is when Status is "Done" - what about non-successes, do you get a different value in Status?

Re: I need to display priority data for 7 days with the percentage, however am unable to display it in 7 days.

a508184 — Mon, 01 Jul 2024 16:00:10 GMT

Yes @ITWhisperer, i have extracted all TRN, tomcatget, Queue, TimeMQPut, Status, and Priority.

you're right tomcatput=TimeMQPut, ignore about the status am not using it for the response time calculation.

Splunk query which i shared has response time.

| eval E2E_5min=if(tomcatGet2tomcatPut<=300,1,0) | eval E2E_20min=if(tomcatGet2tomcatPut>300 and tomcatGet2tomcatPut<=1200,1,0) | eval E2E_50min=if(tomcatGet2tomcatPut>1200 and tomcatGet2tomcatPut<=3000,1,0) | eval E2EGT50min=if(tomcatGet2tomcatPut>3000,1,0) | eval Total = E2E_5min + E2E_20min + E2E_50min + E2EGT50min | stats sum(E2E_5min) as sum_5min sum(E2E_20min) as sum_20min sum(E2E_50min) as sum_50min sum(E2EGT50min) as sum_50GTmin sum(Total) as sum_total by Priority

This will give below output.

Now am creating a field called good and adding adding a condition.
If priority is High then it should be in sum_5min
if priority is medium then it should be in sum_20min, so adding sum_5min + sum_20min
If priority is High then it should be in sum_50min, so adding sum_5min + sum_20min + sum_50min

| eval good = if(Priority="High", sum_5min, if(Priority="Medium", sum_5min + sum_20min, if(Priority="Low", sum_5min+ sum_20min + sum_50min, null())))

After getting the good field data, now am calculating percentage of success which display in a table format

When i try a timechart it doesnt work as expected.

timechart span=1d avg(per_cal) by Priority

Gives me output no results found.

Re: I need to display priority data for 7 days with the percentage, however am unable to display it in 7 days.

ITWhisperer — Mon, 01 Jul 2024 15:50:40 GMT

Try something like this (this assumes that you want daily results based on when the get was received, rather than the put, if this is different, change the bin command to use the other field)

index=myindex source=mysoruce earliest=-7d@d latest=@d | eval PPut=strptime(tomcatput, "%y%m%d %H:%M:%S") | eval PGet=strptime(tomcatget, "%y%m%d %H:%M:%S") | stats min(PGet) as PGet, max(PPut) as PPut, values(Priority) as Priority by TRN | eval tomcatGet2tomcatPut=round((PPut-PGet),0) | eval E2E_5min=if(tomcatGet2tomcatPut<=300,1,0) | eval E2E_20min=if(tomcatGet2tomcatPut>300 and tomcatGet2tomcatPut<=1200,1,0) | eval E2E_50min=if(tomcatGet2tomcatPut>1200 and tomcatGet2tomcatPut<=3000,1,0) | eval E2EGT50min=if(tomcatGet2tomcatPut>3000,1,0) | eval Total = E2E_5min + E2E_20min + E2E_50min + E2EGT50min | bin PGet as _time span=1d | stats sum(E2E_5min) as sum_5min sum(E2E_20min) as sum_20min sum(E2E_50min) as sum_50min sum(E2EGT50min) as sum_50GTmin sum(Total) as sum_total by _time Priority | eval good = if(Priority="High", sum_5min, if(Priority="Medium", sum_5min + sum_20min, if(Priority="Low", sum_5min+ sum_20min + sum_50min, null()))) | eval Per_cal=round(100*good/sum_total,1) | xyseries _time Priority Per_cal