This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the same dataset that you will have already downloaded and ingested into Splunk. If not, please go to the Tutorial and complete it (or at least download and ingest the dataset).

This is the eighth blog in the series, and builds on the dashboard created in the previous blogs.

Comparative Success Rates - an alternative view

Another way to look at the success rates (or failure rates for that matter), is to compare the hourly rate against the maximum and minimum rate for the same hour of the day over the last few days.This screen image shows the hourly success rate compared to the min and max from the last 7 days.

Hourly Success Rates

Starting with the same search you started with, add a new panel to the dashboard.

• Start a new search
• Change the time range to All time
• Run the following search

sourcetype=access_combined_wcookie
| timechart span=1h count by status
| addtotals row=t fieldname=_total
| where _total > 0
| eval success=round(100*'200'/_total,2)
| table _time success​

This screen image shows some of the hourly success rates from the events access log.

• Click the Visualization tab
• Change the chart to Line Chart (if it is not already selected).This screen image shows a line chart of the hourly success rates from the events access log.
• Click Save As and select Existing Dashboard.
• Select the Buttercup Games - Requests
  1. For Panel Title, type Success rate compared to highest and lowest hourly rate
  2. For Visualization Type, keep the setting for Line Chart.This screen image shows options for saving the hourly success chart to a new panel in an existing dashboard.
• Click Save to Dashboard.
• In the confirmation dialog box, click View Dashboard.This screen image shows the new hourly success rate panel in existing dashboard.

Next step is to go on to part 9 where you can compare the last 24 hours with the same hours in previous days.