Solved: Query to get Percentage using two Queries?

Deprasad · ‎08-30-2022

I've 2 queries, 1 will give the the total no of events and the other will give the counts by error type.
I'm trying to join the two queries so that I can get the percentage of each error type.

Query 1:
index=app "ResponseLoggingFilter" "Operation"
| stats count as Total_Transaction

Query 2:
index=app "ResponseLoggingFilter" "Operation" NOT "OK" NOT "1041"
| rex "(?:.+message\"\:\")(?<Error_Message>.+)(?:\"\,)"
| stats count by Error_Message

Deprasad · ‎08-30-2022

Thanks for this query @richgalloway !

It worked. Further I added the below piece of query to get the percentage.

| eval Error_Percentage=round(100*count/Total_Transaction,2)."%"
| table Error_Message,count, Error_Percentage

View solution in original post

richgalloway · ‎08-30-2022

See if this helps

index=app  "ResponseLoggingFilter" "Operation"
| eventstats count as Total_Transaction
| rex "(?:.+message\"\:\")(?<Error_Message>.+)(?:\"\,)"
| eval Error_Message = if(match(_raw, "OK") OR match(_raw, "1041"), null(), Error_Message)
| stats max(Total_Transaction) as Total_Transaction, count by Error_Message

---
If this reply helps you, Karma would be appreciated.

Deprasad · ‎08-30-2022

Thanks for this query @richgalloway !

It worked. Further I added the below piece of query to get the percentage.

| eval Error_Percentage=round(100*count/Total_Transaction,2)."%"
| table Error_Message,count, Error_Percentage

Query to get Percentage using two Queries?

monitoring console

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation