Splunk Search

Calculate percentage of counts over events

huaraz
Explorer

Hi

I would like to get alerted about the percentage of extraction errors ( since there is no built-in function for this 😞 )

I was looking at this option ( field1 is the first field in my EXTRACT regex in transforms.conf )

index=logs | eval isn=if(isnull(field1),1,0) | chart sum(isn) count(isn) perc100(sum(isn)/count(isn))

but that does not work.

Thank you
Markus

0 Karma

chimell
Motivator

Hi huaraz
To show the value perc100 in a table do this

     index=logs | eval isn=if(isnull(field1),1,0) | chart sum(isn) count(isn) | eval perc100='sum(isn)'/'count(isn)' |table perc100
0 Karma

stephane_cyrill
Builder

Hi Markus,
To show the value of perc100 in a table, just pipe what somesoni2 did like this:
.......l table perc100

you can add more the one fields using table commande.

...l perc100 sum(isn) count(isn) host

0 Karma

huaraz
Explorer

That does not seem to work perc100 is just empty. But I think I found another way

index=logs | eval isn=if(isnull(field1),1,0) | chart sum(isn) as Failures count(isn) as "Total events" avg(eval(isn*100)) as Percentage

In this case average is also percentage,isn't it ?

Markus

0 Karma

somesoni2
Revered Legend

Chart/stats can't do operations on the fields which are not defined yet (sum(isn) and count(isn) will be available after chart command only). So try this

index=logs | eval isn=if(isnull(field1),1,0) | chart sum(isn) count(isn) | eval perc100='sum(isn)'/'count(isn)'
0 Karma

huaraz
Explorer

How do I then show the value perc100 in a table or chart ?

Markus

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>