topic Re: Declare a variable for a search to find distribution of calls in Splunk Search

Declare a variable for a search to find distribution of calls

skoelpin — Wed, 01 Apr 2015 15:35:58 GMT

I have 4 basic web services (I'll add more later) which are called throughout the day. My CalculateTax web service is called the most, followed by LookupTax which has the 2nd most, followed by DeliverySchedule has 3rd most, followed by ProductAvailability has the least. So I want to make a dashboard pie chart which shows the distribution of these calls.

I tried extracting the fields for these calls but unfortunately I'm only getting 80% of the calls, I need 100% of them. So is there anyway which I could define each of the 4 searches as a variable then tie all the variables together and find the percent of each web service and put it in a pie chart?

As of now I can do ... "CalculateTaxRequest" | stats count and get a count of the results for CalculateTax but when trying to add another web service call onto that search it will not count or it will combine the count totals of both web services and I cannot get a distribution of each call.

Re: Declare a variable for a search to find distribution of calls

tonykung — Wed, 01 Apr 2015 16:54:24 GMT

follow the logic shown in this query:

let me know if it works for you.

Re: Declare a variable for a search to find distribution of calls

somesoni2 — Wed, 01 Apr 2015 16:58:18 GMT

Try something like this

..."CalculateTaxRequest" OR "LookupTax" OR "DeliverySchedule" OR "ProductAvailability" | eval Service=case(match(_raw,"CalculateTaxRequest),"CalculateTaxRequest",match(_raw,"LookupTax"),"LookupTax", match(_raw,"DeliverySchedule"),"DeliverySchedule",1=1,"ProductAvailability") | stats count by Service

Alternative approach

"CalculateTaxRequest"  | stats count | eval Service="CalculateTaxRequest" | append
[search "LookupTax"  | stats count | eval Service="LookupTax"] |append 
[search "DeliverySchedule"  | stats count | eval Service="DeliverySchedule" ] |append
[search "ProductAvailability"  | stats count | eval Service="ProductAvailability"] | table Service,count

Re: Declare a variable for a search to find distribution of calls

skoelpin — Wed, 01 Apr 2015 18:09:24 GMT

Thanks for the reply. I followed your example and it output exactly what I was looking for.. CalculateTax was perfect but the other 3 web services counts were off by a lot. Any idea as to why that would happen?

DeliverySchedule = off by 231
ProductAvailability = off by 406
LookupTax = off by 296

Re: Declare a variable for a search to find distribution of calls

somesoni2 — Wed, 01 Apr 2015 19:04:46 GMT

My query assumes you have only one Web service name available in one event. So, you're getting lesser count OR more?

Also, try the alternative approach if that helps.

Re: Declare a variable for a search to find distribution of calls

skoelpin — Wed, 01 Apr 2015 19:35:24 GMT

I tried the alternative approach and once again, calculatetax is working great but the others are showing 0. For the first query you posted, I'm getting less