Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding a percentage Failure column to a table from a chart command

zd00191
Communicator
‎07-30-2015 07:49 PM

I have the following search.

index=ko_autosys sourcetype=autosys_applog_scheduler_events  host="usatlb98" OR host="usatlb91" System="*"  JOB_NAME="*" eventtype=autosys_failure_jobs OR eventtype=autosys_terminated_jobs OR eventtype=autosys_restart_jobs OR eventtype=autosys_success_jobs |chart count(JOB_NAME) over System by job_status |rename System as "Application" |sort 0 -FAILURE |addtotals fieldname=Total

This search creates a table with a total column and a column for each status. Each column contains a numerical value which is a count. I would like to add a column that will show the percentage of the 'Total' column that the FAILURE column count is . For example if the Total column for SAP FILO is 100 and the failure column value is 20. I wan to have another column that will have 20%. Please help! Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-31-2015 07:52 AM

OK, given your clarification, like this:

 index=ko_autosys sourcetype=autosys_applog_scheduler_events  host="usatlb98" OR host="usatlb91" System="*"  JOB_NAME="*" eventtype=autosys_failure_jobs OR eventtype=autosys_terminated_jobs OR eventtype=autosys_restart_jobs OR eventtype=autosys_success_jobs | chart count(JOB_NAME) over System by job_status |rename System as "Application" | sort 0 -FAILURE | addtotals fieldname=Total | eval pct=100*FAILURE/Total

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-31-2015 07:52 AM

OK, given your clarification, like this:

 index=ko_autosys sourcetype=autosys_applog_scheduler_events  host="usatlb98" OR host="usatlb91" System="*"  JOB_NAME="*" eventtype=autosys_failure_jobs OR eventtype=autosys_terminated_jobs OR eventtype=autosys_restart_jobs OR eventtype=autosys_success_jobs | chart count(JOB_NAME) over System by job_status |rename System as "Application" | sort 0 -FAILURE | addtotals fieldname=Total | eval pct=100*FAILURE/Total
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-30-2015 08:20 PM

Like this:

index=ko_autosys sourcetype=autosys_applog_scheduler_events  host="usatlb98" OR host="usatlb91" System="*"  JOB_NAME="*" eventtype=autosys_failure_jobs OR eventtype=autosys_terminated_jobs OR eventtype=autosys_restart_jobs OR eventtype=autosys_success_jobs |chart count(JOB_NAME) over System by job_status |rename System as "Application" | addcoltotals | fillnull value="Total" | eval rowTotal=0 | foreach * [eval rowTotal = rowTotal + if(isnum(<<FIELD>>),<<FIELD>>,0)] | sort 6 - rowTotal | eventstats first(rowTotal) AS allTotal | eval pct = 100*rowTotal/allTotal |sort 0 -FAILURE
0 Karma
Reply
Solved! Jump to solution

zd00191
Communicator
‎07-30-2015 08:27 PM

Thank you again for helping me.

The table should contain 20 rows with the last row being a sum of the column values. There should be 6 columns with the last column containing a total of the row. I would like to have a column that displays a percentage of the total that is in the FAILURE column. These should be the column separated by a space

Application FAILURE RESTART SUCCESS TERMINATED Total PercentFailure

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...