- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk search for failed count percentage out of t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I need help in creating one query.
There is one field "Operator" having multiple values like airphone,bphone,vsphone etc.
The query should return the total count of each (airphone,bphone,vsphone etc.) per minute along with failed percentage of each.
Also if that query could specify for which location there are maximum failure of each.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Working search:
source="logfilename" host="test" index="splunkdata" earliest=-10m
| eventstats count(eval(Logon_message="for")) as Successful by Operator
| eventstats count(eval(Logon_message="error")) as Failed by Operator
| eventstats count(eval(Logon_message="*")) as Total by Operator
| eval perc_error = ((Failed)/(Total)*100)
| stats values(Successful) as "Total Successful" values(Failed) as "Total Failed" values(Total) as "Total Logins" values(perc_error) as Percentage by Operator
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Working search:
source="logfilename" host="test" index="splunkdata" earliest=-10m
| eventstats count(eval(Logon_message="for")) as Successful by Operator
| eventstats count(eval(Logon_message="error")) as Failed by Operator
| eventstats count(eval(Logon_message="*")) as Total by Operator
| eval perc_error = ((Failed)/(Total)*100)
| stats values(Successful) as "Total Successful" values(Failed) as "Total Failed" values(Total) as "Total Logins" values(perc_error) as Percentage by Operator
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
with plenty of respect, it seems like you are almost asking us to do your homework for you.
how would you tell if its failed or succeeded?
what have you tried so far? share your search please as well as a sample data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks adonio.
I was missing in a point to use eventstats for the same.
I have achieved the desired results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad you're able to find a resolution on your own. Please post the search/solution that has worked for you as an answer and accept the same to close this question. This will help other splunkers with similar issues to know the working solution.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
