Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Timechart percent count of http status code

orca
Explorer
‎12-07-2020 05:58 PM

I have a requirement where I want to show the timechart of 5xx errors percentage by total request.

currently I have

index=cgn http_status=5*|timechart count 

this gives me timechart as 

Screen Shot 2020-12-07 at 5.54.20 PM.png

but this does not gives me the real picture as how the backend node doing. so I need to change the chart to percentage of 5xx errors over total request so that I can find out how big the issue is.

Any help?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-07-2020 06:48 PM

@orca 

There are a number of ways to do this, but it will naturally involve searching all the data to get the totals to then work out the percentage. This will given you a single total percentage for all errors, as well as the individual error counts

index=cgn
| timechart count by status
| addtotals
| addtotals fieldname=Errors 5*
| eval ErrorRate=round(Errors/Total*100,2)
| fields _time 5* ErrorRate

 and you can then plot the ErrorRate field as a second Y-axis, with its own scale. This gives you best of both worlds in that you can quantify the volume of requests as you have the error counts.

Alternatively if you just want the rate of errors without counts, you can do this

index=cgn
| timechart count by status
| addtotals
| foreach 5* [ addtotals fieldname=tmp_<<MATCHSTR>> 5<<MATCHSTR>> | eval <<FIELD>>=round('tmp_<<MATCHSTR>>'/Total*100,2) ]
| fields _time 5*

 If you also wanted Total on the right Y-axis, then add Total to the final fields statement and edit the graph accordingly.

Hope this helps

 

View solution in original post

Reply
Solved! Jump to solution

orca
Explorer
‎12-08-2020 12:38 PM

Thankyou! This is beautiful and neat. 

Only I have added limit=100 in timechart as I have huge volume of data and 5xx were going as OTHER slice.

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-07-2020 06:48 PM

@orca 

There are a number of ways to do this, but it will naturally involve searching all the data to get the totals to then work out the percentage. This will given you a single total percentage for all errors, as well as the individual error counts

index=cgn
| timechart count by status
| addtotals
| addtotals fieldname=Errors 5*
| eval ErrorRate=round(Errors/Total*100,2)
| fields _time 5* ErrorRate

 and you can then plot the ErrorRate field as a second Y-axis, with its own scale. This gives you best of both worlds in that you can quantify the volume of requests as you have the error counts.

Alternatively if you just want the rate of errors without counts, you can do this

index=cgn
| timechart count by status
| addtotals
| foreach 5* [ addtotals fieldname=tmp_<<MATCHSTR>> 5<<MATCHSTR>> | eval <<FIELD>>=round('tmp_<<MATCHSTR>>'/Total*100,2) ]
| fields _time 5*

 If you also wanted Total on the right Y-axis, then add Total to the final fields statement and edit the graph accordingly.

Hope this helps

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...