https://community.splunk.com/t5/Splunk-Search/How-to-compare-success-failure-by-status/m-p/703316#M238387 <P>You can also check out two nice commands - <EM>xyseries</EM> and <EM>untable</EM> which can be used to (de)tabularize such data series.</P> Fri, 01 Nov 2024 11:58:40 GMT PickleRick 2024-11-01T11:58:40Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-success-failure-by-status/m-p/703296#M238377 <P>I've got data so:<BR /><BR />"[clientip]&nbsp; [host] - [time] [method] [uri_path] [status] [useragent]" ..&nbsp;&nbsp;<BR />and do the following search:</P><P>&nbsp;</P><LI-CODE lang="markup">index=web uri_path="/somepath" status="200" OR status="400" | rex field=useragent "^(?&lt;app_name&gt;[^/]+)/(?&lt;app_version&gt;[^;]+)?\((?&lt;app_platform&gt;[^;]+); *" | eval app=app_platform+" "+app_name+" "+app_version</LI-CODE><P>&nbsp;</P><P><BR />I've split up the useragent just fine and verified the output. I want to now compare status&nbsp; by "app".<BR />So I've added the following:</P><P>&nbsp;</P><LI-CODE lang="markup">| stats count by app, status</LI-CODE><P>&nbsp;</P><P><BR />Which gives me:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%" height="25px">app</TD><TD width="33.333333333333336%" height="25px">status</TD><TD width="33.333333333333336%" height="25px">count</TD></TR><TR><TD width="33.333333333333336%" height="40px"><P>android app 1.0</P></TD><TD width="33.333333333333336%" height="40px">200</TD><TD width="33.333333333333336%" height="40px">5000</TD></TR><TR><TD height="40px"><P>ios app 2.0</P></TD><TD height="40px">400</TD><TD height="40px">3</TD></TR><TR><TD height="40px"><P>android app 1.1</P></TD><TD height="40px">200</TD><TD height="40px">500</TD></TR><TR><TD height="40px"><P>android app 1.0</P></TD><TD height="40px">400</TD><TD height="40px">12</TD></TR><TR><TD height="40px"><P>ios app 2.0</P></TD><TD height="40px">200</TD><TD height="40px">3000</TD></TR></TBODY></TABLE><P><BR />How can I compare, for a given "app" (combo of platform, name, version) the rate of success where success is when the response = 200 and failure if 400. I understand that I need to take success and divide by success + failure count.. But how do I combine this data?&nbsp;<BR />Also note that I need to consider that some apps may not have any 400 errors.&nbsp;</P> Fri, 01 Nov 2024 00:01:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-success-failure-by-status/m-p/703296#M238377 mwolfe 2024-11-01T00:01:38Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-success-failure-by-status/m-p/703299#M238379 <P>I think I got it&nbsp;</P><LI-CODE lang="markup">| eval success=if(status=200,1,0) | eval failure=if(status=400,1,0) | stats sum(failure) as fail_sum, sum(success) as success_sum by app | eval success_rate=round((success_sum / (success_sum + fail_sum))*100,1) | table app, success_rate</LI-CODE> Fri, 01 Nov 2024 00:54:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-success-failure-by-status/m-p/703299#M238379 mwolfe 2024-11-01T00:54:27Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-success-failure-by-status/m-p/703308#M238383 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/273665">@mwolfe</a>&nbsp;,</P><P>don't use sum but count:</P><LI-CODE lang="markup">index=web uri_path="/somepath" status="200" OR status="400" | rex field=useragent "^(?&lt;app_name&gt;[^/]+)/(?&lt;app_version&gt;[^;]+)?\((?&lt;app_platform&gt;[^;]+); *" | eval app=app_platform+" "+app_name+" "+app_version | eval success=if(status=200,1,0) | eval failure=if(status=400,1,0) | stats count(failure) AS fail_count count(success) AS success_count BY app | eval success_rate=round((success_count / (success_count + fail_count))*100,1) | table app success_rate</LI-CODE><P>otherwise, you could insert the eval in the stats:</P><LI-CODE lang="markup">index=web uri_path="/somepath" status="200" OR status="400" | rex field=useragent "^(?&lt;app_name&gt;[^/]+)/(?&lt;app_version&gt;[^;]+)?\((?&lt;app_platform&gt;[^;]+); *" | eval app=app_platform+" "+app_name+" "+app_version | stats count(eval(status=400)) AS fail_count count(eval(status=200)) AS success_count BY app | eval success_rate=round((success_count / (success_count + fail_count))*100,1) | table app success_rate</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 01 Nov 2024 10:55:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-success-failure-by-status/m-p/703308#M238383 gcusello 2024-11-01T10:55:52Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-success-failure-by-status/m-p/703316#M238387 <P>You can also check out two nice commands - <EM>xyseries</EM> and <EM>untable</EM> which can be used to (de)tabularize such data series.</P> Fri, 01 Nov 2024 11:58:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-success-failure-by-status/m-p/703316#M238387 PickleRick 2024-11-01T11:58:40Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-success-failure-by-status/m-p/703334#M238390 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/273665">@mwolfe</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 01 Nov 2024 17:01:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-success-failure-by-status/m-p/703334#M238390 gcusello 2024-11-01T17:01:33Z