topic Re: Why is my eval calculation not displaying in table? in Splunk Search

Why is my eval calculation not displaying in table?

demkic — Wed, 30 Nov 2016 22:01:16 GMT

Hi all,

I am trying to display a calculation for the failure rate when taking into consideration the volume of all transactions. For some reason the values for the failure_rate are not appearing in my results. I am not able to find the mistake in the search..

base search...
| timechart span=1h count(errorType) as total 
| eval "Date/Time"=strftime('_time', "%A, %B %e, %Y %I:%M %p") 
| append 
    [ base search...
    | timechart span=1h count(success) as alltransactions 
    | eval "Date/Time"=strftime('_time', "%A, %B %e, %Y %I:%M %p")] | eval failure_rate=round(total/alltransactions*100,1) | stats values(failure_rate) as failure_rate values(alltransactions) as alltransactions values(total) as total by "Date/Time" | table "Date/Time" failure_rate alltransactions total

Many thanks!

Re: Why is my eval calculation not displaying in table?

sundareshr — Wed, 30 Nov 2016 22:11:37 GMT

When you use append events get added to the end. So in your case, you have events on the top with the total fields and events at the bottom have the alltransactions field. Hence you math doesn't work. Its either total/null OR null/alltransactions, both generating errors. To fix this, you should get rid of the append subsearch. Try this

(base search for error events) OR (base search for success events) | eval errors=if(isnotnull(errorType), 1, 0) | eval success=if(isnotnull(success), 1, 0) | timechart span=1h sum(errors) as total sum(success) as alltransactions | eval failure_rate=round(total/alltransactions*100,1) | | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p")

Re: Why is my eval calculation not displaying in table?

demkic — Wed, 30 Nov 2016 22:55:49 GMT

Hi, thank you for your reply. Your above query is essentially doing the correct calculations. However, the failure rate turns out to be 100% for the entire column. The base search for error events only differs in the part that success=false while the base search for success events will include success=true.

Since the two base queries only differ by that success=true or success=false part, I tried to tweak the query using only 1 base query but applying some additional commands, however now I am getting an error message... Am I on the right track?

(base search for error and success events) | stats count(eval(success="false")) as fail count(eval(success="true")) as approve| eval errors=if(isnotnull(fail), 1, 0) | eval success=if(isnotnull(approve), 1, 0) | timechart span=1h sum(fail) as total sum(approve) as alltransactions | eval failure_rate=round(total/alltransactions*100,1) | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p")

Re: Why is my eval calculation not displaying in table?

demkic — Wed, 30 Nov 2016 23:17:35 GMT

Actually, I think I got it:

(base query that includes failed and approved transactions) 
| timechart span=1h count(eval(errorType="approved")) as approvals count(eval(errorType)) as AllErrors count(eval(event="transactionCompleted")) as CompletedTransactions 
| eval Failures=AllErrors-approvals 
| eventstats sum(CompletedTransactions) as columntotal
| eval percent_failure=round(Failures*100/columntotal , 1)
| table _time percent_failure | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p") | rename percent_failure as "Failure Rate", _time as "Date/Time"

Re: Why is my eval calculation not displaying in table?

aaraneta_splunk — Fri, 09 Dec 2016 22:51:49 GMT

Hi @demkic - Did the answer provided by sundareshr help steer you in the right direction towards a working solution? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!