Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Want to add error percentage column in chart view

rahuljchavan
Loves-to-Learn
‎11-25-2020 03:27 AM

I have a query where I am getting count of different http status codes like below

rahuljchavan_0-1606303451158.png

I want to add a error percentage column to above chart.

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-25-2020 10:25 PM

@rahuljchavan 

you can try below: Query will display error & success percentage both.

| rex field=_raw "(?ms)^[^\"\\n]*\"(?P<http_method>\\w+)\\s+((?P<path>/[a-zA-Z0-9-_/=]*).*) (?P<http_ver>[^\"]+)\"\\s+(?P<status_code>\\d+)" offset_field=_extracted_fields_bounds 
| rex field=_raw "(?ms)^[^\"\\n]*\"(?P<http_method>\\w+)\\s+((?P<path>/imgproxy/*).*) (?P<http_ver>[^\"]+)\"\\s+(?P<status_code>\\d+)" offset_field=_extracted_fields_bounds 
| eval endpoint=http_method." ".path 
| where like(path, "/info%") OR like(path, "/status%") OR like(path, "/imgproxy%") OR like(path, "/error%") OR like(path, "/rest/suite/%") 
| eval result=if(status_code>299,"error","success")
| stats count  count(eval(result="success")) as success_count count(eval(result="error")) as error_count by endpoint
| eval error_perc=(error_count/count)*100,success_perc=(success_count/count)*100
| table endpoint,error_perc,success_perc
————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-25-2020 05:51 AM

@rahuljchavan 

can you post your query here.

————————————
If this helps, give a like below.
0 Karma
Reply

rahuljchavan
Loves-to-Learn
‎11-25-2020 05:59 AM

Here is the query

| rex field=_raw "(?ms)^[^\"\\n]*\"(?P<http_method>\\w+)\\s+((?P<path>/[a-zA-Z0-9-_/=]*).*) (?P<http_ver>[^\"]+)\"\\s+(?P<status_code>\\d+)" offset_field=_extracted_fields_bounds | rex field=_raw "(?ms)^[^\"\\n]*\"(?P<http_method>\\w+)\\s+((?P<path>/imgproxy/*).*) (?P<http_ver>[^\"]+)\"\\s+(?P<status_code>\\d+)" offset_field=_extracted_fields_bounds | eval endpoint=http_method." ".path | where like(path, "/info%") OR like(path, "/status%") OR like(path, "/imgproxy%") OR like(path, "/error%") OR like(path, "/rest/suite/%") | chart count over endpoint by status_code usenull=false

0 Karma
Reply

rahuljchavan
Loves-to-Learn
‎11-25-2020 04:20 AM

@thambisetty Thanks for the reply.

I am a beginner to splunk.

The columns are fetched dynamically i.e. using chart count over endpoint by status_code and might be missing some statuses runtime.

In short I want to calculate error percentage depending on these dynamically populated fields.

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-25-2020 04:09 AM

@rahuljchavan 

Hope you want to calculate error percentage for each endpoint.

| eval success='200' + '204'
| eval error= <add all other than above two codes here in the same fashion as above>
| eval error_perc= (error/(error+success))*100
————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...