I need to calculate if more than 15% of "error1" in server logs are there since last release.
Release is every Wednesday (weekly)
Sat | Sun | Mon | Tues | Wed | Thru | Fri |
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
Release 1 cycle - from 6th to 12th ,
Release 2 cycle - 13th to 19th and so on for a month
For examples:
So, if splunk query runs on 14th , it should find "errors1" count in server logs from 6th to 12th as "count1". Then, it should find "errors1" count in server logs from 13th to 14th as "count2". Then calculate the percentage increase in "count2" from "count1"
If splunk query runs on 20th , it should find "errors1" count in server logs from 13th to 19th as "count1". Then, it should find "errors1" count in server logs on 20th as "count2" . Then calculate the percentage increase in "count2" from "count1".
If splunk query runs on 18th , it should find "errors1" count in server logs from 6th to 12th as "count1". Then, it should find "errors1" count in server logs from 13th to 18th as "count2" . Then calculate the percentage increase in "count2" from "count1".
Calculate if more than 15% of "error1" in server logs are there since last release.
Please help!
@ITWhisperer Thanks for the reply! Appreciate it
@VS0909 Please can you accept the solution so others can find it more easily
@ITWhisperer Thanks for the reply! Appreciate it
eval releasepast=floor((dayspast - dsw) / 7) - If today's date is 16th, "error1" occurred in logs on 15th, then dayspast =1 , dsw = 4. This may not be correct calculation.
Please help!
Sat | Sun | Mon | Tues | Wed | Thru | Fri |
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
Hi @VS0909
My mistake, the dayspast calculation is wrong. The times need to be aligned to the beginning of the day
| eval dayspast=relative_time(now(), "@d") - relative_time(_time, "@d")
Also dsw (days since Wednesday) should be days since Tuesday (the last day of a release) and it should be based on now().
| eval dst=(tonumber(strftime(now(),"%w")) + 5) % 7
Then release past becomes
| eval releasepast=floor((dayspast - dst) / 7)
This gives -1 for current release, and 0 for previous release and 1 for the release before that.
@ITWhisperer Thanks for the reply!
Please let me now how will I find "count1" and "count2"
If splunk query runs on 18th , it should find "errors1" count in server logs from 6th to 12th as "count1". Then, it should find "errors1" count in server logs from 13th to 18th as "count2" . Then calculate the percentage increase in "count2" from "count1".
Join the two rows together
| stats values(*) as *
Calculate percentage
| eval p=tonumber(mvindex(count,0))/tonumber(mvindex(count,1))
| fields p
You might need a sort (by releasepast) before the stats to ensure the counts are in the right order
Calculate days past
| eval dayspast=floor((now()-_time)/(60*60*24))
Calculate days since Wednesday
| eval dsw=(tonumber(strftime(_time,"%w")) + 4) % 7
Calculate how far back the release cycle is
| eval releasepast=floor((dayspast - dsw) / 7)
Reduce events to previous and current release
| where releasepast < 2
Count errors
| stats count by releasepast
You now have the values you need to work out your percentage