Security

Timechart percent count of http status code

orca
Explorer

I have a requirement where I want to show the timechart of 5xx errors percentage by total request.

currently I have

index=cgn http_status=5*|timechart count 

this gives me timechart as 

Screen Shot 2020-12-07 at 5.54.20 PM.png

but this does not gives me the real picture as how the backend node doing. so I need to change the chart to percentage of 5xx errors over total request so that I can find out how big the issue is.

Any help?

0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

@orca 

There are a number of ways to do this, but it will naturally involve searching all the data to get the totals to then work out the percentage. This will given you a single total percentage for all errors, as well as the individual error counts

index=cgn
| timechart count by status
| addtotals
| addtotals fieldname=Errors 5*
| eval ErrorRate=round(Errors/Total*100,2)
| fields _time 5* ErrorRate

 and you can then plot the ErrorRate field as a second Y-axis, with its own scale. This gives you best of both worlds in that you can quantify the volume of requests as you have the error counts.

Alternatively if you just want the rate of errors without counts, you can do this

index=cgn
| timechart count by status
| addtotals
| foreach 5* [ addtotals fieldname=tmp_<<MATCHSTR>> 5<<MATCHSTR>> | eval <<FIELD>>=round('tmp_<<MATCHSTR>>'/Total*100,2) ]
| fields _time 5*

 If you also wanted Total on the right Y-axis, then add Total to the final fields statement and edit the graph accordingly.

Hope this helps

 

View solution in original post

orca
Explorer

Thankyou! This is beautiful and neat. 

Only I have added limit=100 in timechart as I have huge volume of data and 5xx were going as OTHER slice.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

@orca 

There are a number of ways to do this, but it will naturally involve searching all the data to get the totals to then work out the percentage. This will given you a single total percentage for all errors, as well as the individual error counts

index=cgn
| timechart count by status
| addtotals
| addtotals fieldname=Errors 5*
| eval ErrorRate=round(Errors/Total*100,2)
| fields _time 5* ErrorRate

 and you can then plot the ErrorRate field as a second Y-axis, with its own scale. This gives you best of both worlds in that you can quantify the volume of requests as you have the error counts.

Alternatively if you just want the rate of errors without counts, you can do this

index=cgn
| timechart count by status
| addtotals
| foreach 5* [ addtotals fieldname=tmp_<<MATCHSTR>> 5<<MATCHSTR>> | eval <<FIELD>>=round('tmp_<<MATCHSTR>>'/Total*100,2) ]
| fields _time 5*

 If you also wanted Total on the right Y-axis, then add Total to the final fields statement and edit the graph accordingly.

Hope this helps

 

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...

Build and Launch AI Agents from Your Splunk Workflows

  Register We’ve all been there: juggling alerts, runbooks, and endless manual searches. What if you could ...

Splunk Cloud Application Management in Terraform

Register   On Tuesday, August 4 at 11AM PDT / 2PM EDT, we’re diving into how you can bring Infrastructure as ...