https://community.splunk.com/t5/Splunk-Search/Search-Query-Help/m-p/21377#M3507 <P>I am trying to monitor the percentages of 500's per endpoint of my api. I currently am returning all of the information and want to only show results if the percentage goes over 5%. (this way I can alert whenever the report is ran and there are greater than 0 results. </P> <P>sourcetype=My_Api_Access_Log<BR /><BR /> | eval path=My_Path<BR /><BR /> | eval endpoint = method." ".path<BR /><BR /> | eval iserror=if(status=500,1,0)<BR /><BR /> | eval err_user=if(iserror==1, user_id, null())<BR /><BR /> | stats sum(iserror) as errors, count as total, dc(err_user) as users by endpoint<BR /><BR /> | where errors != 0<BR /><BR /> | eval percent=round(100*errors/total,2)."%"<BR /><BR /> | fields endpoint, errors, total, percent, users<BR /><BR /> | sort -percent </P> <P>This is working great, but when I add:</P> <P>| where percent &gt; 5</P> <P>I get no results even though I know I have endpoints over 5% error rates. <BR /> Any ideas?</P> Mon, 28 Sep 2020 14:28:57 GMT dmw7752 2020-09-28T14:28:57Z https://community.splunk.com/t5/Splunk-Search/Search-Query-Help/m-p/21377#M3507 <P>I am trying to monitor the percentages of 500's per endpoint of my api. I currently am returning all of the information and want to only show results if the percentage goes over 5%. (this way I can alert whenever the report is ran and there are greater than 0 results. </P> <P>sourcetype=My_Api_Access_Log<BR /><BR /> | eval path=My_Path<BR /><BR /> | eval endpoint = method." ".path<BR /><BR /> | eval iserror=if(status=500,1,0)<BR /><BR /> | eval err_user=if(iserror==1, user_id, null())<BR /><BR /> | stats sum(iserror) as errors, count as total, dc(err_user) as users by endpoint<BR /><BR /> | where errors != 0<BR /><BR /> | eval percent=round(100*errors/total,2)."%"<BR /><BR /> | fields endpoint, errors, total, percent, users<BR /><BR /> | sort -percent </P> <P>This is working great, but when I add:</P> <P>| where percent &gt; 5</P> <P>I get no results even though I know I have endpoints over 5% error rates. <BR /> Any ideas?</P> Mon, 28 Sep 2020 14:28:57 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query-Help/m-p/21377#M3507 dmw7752 2020-09-28T14:28:57Z https://community.splunk.com/t5/Splunk-Search/Search-Query-Help/m-p/21378#M3508 <P>When you append the symbol "%" to your percent field, you change it's type from numerical to string. Comparing a string to a numeric value will render no results. This akin to comparing "5%" &gt; 5. </P> <P>Change</P> <PRE><CODE> | eval percent=round(100*errors/total,2)."%" </CODE></PRE> <P>to this:</P> <PRE><CODE>| eval percent=round(100*errors/total,2) </CODE></PRE> <P>And add this to the end of your search.</P> <PRE><CODE>| eval percent=percent."%" </CODE></PRE> Wed, 31 Jul 2013 23:02:26 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query-Help/m-p/21378#M3508 Gilberto_Castil 2013-07-31T23:02:26Z https://community.splunk.com/t5/Splunk-Search/Search-Query-Help/m-p/21379#M3509 <P>Oh my God...Im so stupid. Thank you. I cam back to this search after writing it a month ago and forgot I added that for aesthetics. Fresh pair of eyes. You sir, saved my sanity. </P> <P><A href="http://24.media.tumblr.com/022c89f083711e52d47f5dc75db33db6/tumblr_mocdvvCOSs1srujzdo1_500.gif">http://24.media.tumblr.com/022c89f083711e52d47f5dc75db33db6/tumblr_mocdvvCOSs1srujzdo1_500.gif</A></P> Wed, 31 Jul 2013 23:08:44 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query-Help/m-p/21379#M3509 dmw7752 2013-07-31T23:08:44Z