Splunk Search

Calculate if more than 15% of "error1" in server logs are there since last release

VS0909
Communicator

 

I need to calculate if more than 15% of "error1" in server logs are there since last release.

Release is every Wednesday (weekly)

Sat

Sun

Mon

Tues

Wed

Thru

Fri

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

 

Release 1 cycle - from 6th to 12th ,

Release 2 cycle -  13th to 19th and so on for a month

For examples:

So, if splunk query runs on 14th , it should find "errors1" count in server logs from 6th to 12th as "count1". Then, it should find "errors1" count in server logs from 13th to 14th  as "count2". Then calculate the percentage increase in "count2" from "count1"

If splunk query runs on 20th , it should find "errors1" count in server logs from 13th to 19th as "count1". Then, it should find "errors1" count in server logs on 20th as "count2" . Then calculate the percentage increase in "count2" from "count1".

If splunk query runs on 18th , it should find "errors1" count in server logs from 6th to 12th as "count1". Then, it should find "errors1" count in server logs from 13th to 18th as "count2" . Then calculate the percentage increase in "count2" from "count1".

Calculate if more than 15% of "error1" in server logs are there since last release.

Please help!

 

 

0 Karma

VS0909
Communicator

@ITWhisperer  Thanks for the reply! Appreciate it

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

@VS0909 Please can you accept the solution so others can find it more easily

0 Karma

VS0909
Communicator

 

@ITWhisperer  Thanks for the reply! Appreciate it

eval releasepast=floor((dayspast - dsw) / 7)   - If today's date is 16th,  "error1" occurred in logs on 15th,  then dayspast =1 , dsw = 4.  This may not be correct calculation.

Please help!

 

Sat

Sun

Mon

Tues

Wed

Thru

Fri

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Hi @VS0909 

My mistake, the dayspast calculation is wrong. The times need to be aligned to the beginning of the day

 

| eval dayspast=relative_time(now(), "@d") - relative_time(_time, "@d")

 

 Also dsw (days since Wednesday) should be days since Tuesday (the last day of a release) and it should be based on now().

 

| eval dst=(tonumber(strftime(now(),"%w")) + 5) % 7

 

Then release past becomes

 

| eval releasepast=floor((dayspast - dst) / 7)

 

 This gives -1 for current release, and 0 for previous release and 1 for the release before that.

VS0909
Communicator

@ITWhisperer  Thanks for the reply!

Please let me now how will I find "count1" and "count2"

If splunk query runs on 18th , it should find "errors1" count in server logs from 6th to 12th as "count1". Then, it should find "errors1" count in server logs from 13th to 18th as "count2" . Then calculate the percentage increase in "count2" from "count1".

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Join the two rows together

| stats values(*) as *

Calculate percentage

| eval p=tonumber(mvindex(count,0))/tonumber(mvindex(count,1))
| fields p

 You might need a sort (by releasepast) before the stats to ensure the counts are in the right order

ITWhisperer
SplunkTrust
SplunkTrust

Calculate days past

| eval dayspast=floor((now()-_time)/(60*60*24))

Calculate days since Wednesday

| eval dsw=(tonumber(strftime(_time,"%w")) + 4) % 7

 Calculate how far back the release cycle is

| eval releasepast=floor((dayspast - dsw) / 7)

Reduce events to previous and current release

| where releasepast < 2

Count errors

| stats count by releasepast

You now have the values you need to work out your percentage

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...