Dynamically compute success percentage based on v...

msrama5 · ‎10-29-2020

Hello, I wrote the following query which calculates success percentage based on expected 1 value every 5 mins which is 288 per day, but when it is less than a day or roll over multiple days , I need to compute the success percentage dynamically computing the expected values based on the duration divided by 5 mins and compute success percentages, how can this be done , below is the query for 24 hrs values. Need to change dynamically based on duration so number divided will change every time

earliest = -24h index=error_log | eventstats count as Success_Count by "Properties.QueryName" | eval Success_Percentage=round(Success_Count/288*100,2) | table Success_Percentage

renjith_nair · ‎10-29-2020

You may use addinfo to get the current search window

earliest = -24h index=error_log 
| addinfo
| eventstats count as Success_Count by "Properties.QueryName" 
| eval divider=round((info_max_time-info_min_time)/300,0)|fields - info*
| eval Success_Percentage=round(Success_Count/divider*100,2) | table Success_Percentage

If you want exact 288 for 24 hours, you need to use snap to hour for latest time. i.e. if the search is executed at 10:15, value of divider would be 291 including extra 15 mins of the hour

Reference : https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers

Happy Splunking!

Dynamically compute success percentage based on value every 5 mins

using Splunk Cloud

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!