Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with Arthematic calculations

manikath_kaleru
New Member
‎08-29-2022 06:16 PM

I need to calculate count of the good 15 minute intervals where (status code = 200 AND average response time < 300 milliseconds AND 99.99th percentile response time < 1500 milliseconds ) / the total count of the intervals * 100. Could someone help. Where I already have status code and response time in two separate fields

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2022 11:49 PM

Hi @manikath_kaleru,

it's not clear for me the last condition, but, following my approach you can modify this search adding the missing condition.

Anyway, you have to insert some conditions in the main search and some others after the stats calculation, something like this:

index=your_index status=200
| stats avg(response_time) AS avg_response_time 99perc(response_time) AS 99_response_time
| where avg_response_time<300 AND 99_response_time<1500

 Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-29-2022 11:45 PM

Hi

I'm not sure what you are meaning by " (status code = 200 AND average response time < 300 milliseconds AND 99.99th percentile response time < 1500 milliseconds ) / the total count of the intervals * 100" ?

But here is example with splunkd_ui_access for status=200 avg_resp_time < 300 and p99 < 1500 (unfortunately splunk's percentile function don't support decimals, only integers are supported).

index=_internal source="*/var/log/splunk/splunkd_ui_access.log" sourcetype=splunkd_ui_access status=200 earliest=-15m
| eventstats avg(spent) as avg_resp_time p99(spent) as p99_resp_time
| where avg_resp_time < 300 AND p99_resp_time < 1500

If you want sliding 15m then you should change eventstats to  streamstats.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...