Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with Arthematic calculations

manikath_kaleru
New Member
‎08-29-2022 06:16 PM

I need to calculate count of the good 15 minute intervals where (status code = 200 AND average response time < 300 milliseconds AND 99.99th percentile response time < 1500 milliseconds ) / the total count of the intervals * 100. Could someone help. Where I already have status code and response time in two separate fields

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2022 11:49 PM

Hi @manikath_kaleru,

it's not clear for me the last condition, but, following my approach you can modify this search adding the missing condition.

Anyway, you have to insert some conditions in the main search and some others after the stats calculation, something like this:

index=your_index status=200
| stats avg(response_time) AS avg_response_time 99perc(response_time) AS 99_response_time
| where avg_response_time<300 AND 99_response_time<1500

 Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-29-2022 11:45 PM

Hi

I'm not sure what you are meaning by " (status code = 200 AND average response time < 300 milliseconds AND 99.99th percentile response time < 1500 milliseconds ) / the total count of the intervals * 100" ?

But here is example with splunkd_ui_access for status=200 avg_resp_time < 300 and p99 < 1500 (unfortunately splunk's percentile function don't support decimals, only integers are supported).

index=_internal source="*/var/log/splunk/splunkd_ui_access.log" sourcetype=splunkd_ui_access status=200 earliest=-15m
| eventstats avg(spent) as avg_resp_time p99(spent) as p99_resp_time
| where avg_resp_time < 300 AND p99_resp_time < 1500

If you want sliding 15m then you should change eventstats to  streamstats.

r. Ismo

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...