Hello Splunk Community,
Here is my code and explanation of the issue below:
I am having a very annoying issue that I cant fix. The issue is that the percentage should be 60 which I can get easily, but the issue starts when I group by the logDate. When I group by logDate then my percentage automatically turns to 100% - it obviously should not convert to 100%. Any advise?
index=syz event=object
| eval MoveObject=case (event=object, time)
Here below is the calcualtions for when I chart percentage:
| eval Total=case(LevelMet="Failure",ObjectId)
| eval logDate = strftime(strptime(MoveObject, "%Y-%m-%d"),"%d-%b-%Y")
| stats dc(Total) as Failed_Docs dc(ObjectId) as Total_Docs by logDate
| eval Percentage=round((Failed_Docs / Total_Docs )*100,2)
| chart values(Percentage) as Percentage by logDate
It is not clear what you want percentage to be a percentage of - your current search gives you the percentage of failed docs from the total on each day
Do your events include more than one value of LevelMet?
Can you post some anonymised sample events?
Hi @ITWhisperer
Here is an example of the code. So now I have the right percentage, but it shows up daily, results I see are like this:
I only need the percentage for the corresponding Date_Record not the same percentage daily...
Date_ Record | Percentage |
01-Apr-2021 | 55.00 |
29-Mar-2021 | 55.00 |
30-Mar-2021 | 55.00 |
(index=abc (dev=xyz event="startDoc" ) OR ( dev=vbn lkp_doc_type=* level="endDoc" ))
| eval endDocTime=case(level="endDoc", TimeStamp)
startDocTime=case(event="sendDoc", RecordTime)
| stats earliest(startDocTime) as startDocTime latest(endDocTime) as endDocTime values(Duration) as Duration values(lkp_doc_type) as lkp_doc_type dc(docNum) as TotalDocs values(Total) as Total by docNum
| eval startTime = strptime(startDocTime,"%Y-%m-%d %H:%M:%S.%q"), endTime=strptime(endDocTime,"%Y-%m-%d %H:%M:%S.%q")
| where isNotNull(startDocTime) AND isNotNull(endDocTime)
| eval Duration = (endTime-startTime)
| eval DocValue=case(lkp_doc_type="Low", 1, lkp_doc_type="Medium", 2, lkp_doc_type="High", 3)
| eval Doc_MetValue=if(Duration<=DocValue, "Success", "Failure")
| eval Total=case(Doc_MetValue="Failure", docNum)
This is where I start the percentage calculations:
| eval Date_Record = strftime(strptime(endDocTime, "%Y-%m-%d"),"%d-%b-%Y")
| stats dc(Total) as Failed_Doc dc(docNum) as Total_Docs_Received values(Date_Record) as Date_Record ***I also tried doing by Date_Record here, but did not help***
| eval Percentage=round((Failed_Doc/Total_Docs_Received )*100,2)
| chart values(Percentage) as Percentage by Date_Record
| stats earliest(startDocTime) as startDocTime latest(endDocTime) as endDocTime values(Duration) as Duration values(lkp_doc_type) as lkp_doc_type dc(docNum) as TotalDocs values(Total) as Total by docNum
values(Duration) as Duration seems redundant as you recalculate Duration later
dc(docNum) as TotalDocs seems redundant as you stats by docNum so the will always be 1, and isn't used later anyway
| eval Date_Record = strftime(strptime(endDocTime, "%Y-%m-%d"),"%d-%b-%Y")
| stats dc(Total) as Failed_Doc dc(docNum) as Total_Docs_Received values(Date_Record) as Date_Record
If you want to group these by days, you could try this
| bin span=1d endDocTime
| stats dc(Total) as Failed_Doc dc(docNum) as Total_Docs_Received by endDocTime