Re: Calculate percentage of counts over events

huaraz · ‎04-03-2015

Hi

I would like to get alerted about the percentage of extraction errors ( since there is no built-in function for this 😞 )

I was looking at this option ( field1 is the first field in my EXTRACT regex in transforms.conf )

index=logs | eval isn=if(isnull(field1),1,0) | chart sum(isn) count(isn) perc100(sum(isn)/count(isn))

but that does not work.

Thank you
Markus

chimell · ‎04-04-2015

Hi huaraz
To show the value perc100 in a table do this

     index=logs | eval isn=if(isnull(field1),1,0) | chart sum(isn) count(isn) | eval perc100='sum(isn)'/'count(isn)' |table perc100

stephane_cyrill · ‎04-04-2015

Hi Markus,
To show the value of perc100 in a table, just pipe what somesoni2 did like this:
.......l table perc100

you can add more the one fields using table commande.

...l perc100 sum(isn) count(isn) host

huaraz · ‎04-04-2015

That does not seem to work perc100 is just empty. But I think I found another way

index=logs | eval isn=if(isnull(field1),1,0) | chart sum(isn) as Failures count(isn) as "Total events" avg(eval(isn*100)) as Percentage

In this case average is also percentage,isn't it ?

Markus

somesoni2 · ‎04-03-2015

Chart/stats can't do operations on the fields which are not defined yet (sum(isn) and count(isn) will be available after chart command only). So try this

index=logs | eval isn=if(isnull(field1),1,0) | chart sum(isn) count(isn) | eval perc100='sum(isn)'/'count(isn)'

huaraz · ‎04-03-2015

How do I then show the value perc100 in a table or chart ?

Markus

Calculate percentage of counts over events

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!