Dashboards & Visualizations

Graph failure rate as a percentage by a grouping field

raoul
Path Finder

I have some transaction data. Transactions originate in a region and can either succeed or fail. I would like to have a graph or the failure rate (as a percentage) by region. I have not found a way to do this.

The closest I have gotten is:

... 
  | timechart span=1h count(eval(Msg="0420")) as fail_cnt, count as cnt 
  | eval pct=100*(fail_cnt/cnt) 
  | fields - *cnt

The problem I have is that when I try and do a "by region" then the timechart complains.

The eval(Msg="0420") is simply an arbitrary failure condition. In general, I would like to be able to graph arbitrary rates across regions so that I can compare if one region is out of step with the others.

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

A solution is here:

http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries

The problem is that timechart can't display more than three dimensions of data (time, series, value). The above is probably a bit more complicated than is strictly required for your graph, since you discard the additional series and just keep pct. So a simpler solution in your specific case is:

... | bucket _time span=1h 
    | stats count(eval(Msg="0420")) as fail_cnt
            count as cnt 
      by _time, region
    | eval pct=100*fail_cnt/cnt
    | timechart span=1h
        first(pct) as pct
      by region

or (possibly simpler):

... | bucket _time span=1h 
    | stats count(eval(Msg="0420")) as fail_cnt
            count as cnt 
      by _time, region
    | eval pct=100*fail_cnt/cnt
    | xyseries _time region pct

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

A solution is here:

http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries

The problem is that timechart can't display more than three dimensions of data (time, series, value). The above is probably a bit more complicated than is strictly required for your graph, since you discard the additional series and just keep pct. So a simpler solution in your specific case is:

... | bucket _time span=1h 
    | stats count(eval(Msg="0420")) as fail_cnt
            count as cnt 
      by _time, region
    | eval pct=100*fail_cnt/cnt
    | timechart span=1h
        first(pct) as pct
      by region

or (possibly simpler):

... | bucket _time span=1h 
    | stats count(eval(Msg="0420")) as fail_cnt
            count as cnt 
      by _time, region
    | eval pct=100*fail_cnt/cnt
    | xyseries _time region pct
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...