Splunk Search

Chart Percentage Issue Percentage is miscalculated

Mary666
Communicator

Hello Splunk Community, 


Here is my code and explanation of the issue below:

I am having a very annoying issue that I cant fix. The issue is that the percentage should be 60 which I can get easily, but the issue starts when I group by the logDate. When I group by logDate then my percentage automatically turns to 100% - it obviously should not convert to 100%. Any advise? 

index=syz event=object

| eval MoveObject=case (event=object, time)

Here below is the calcualtions for when I chart percentage:

| eval Total=case(LevelMet="Failure",ObjectId)

| eval logDate = strftime(strptime(MoveObject, "%Y-%m-%d"),"%d-%b-%Y")

| stats  dc(Total) as Failed_Docs dc(ObjectId) as Total_Docs  by  logDate

| eval Percentage=round((Failed_Docs / Total_Docs  )*100,2)

| chart values(Percentage) as Percentage by logDate 

 

Labels (5)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not clear what you want percentage to be a percentage of - your current search gives you the percentage of failed docs from the total on each day

Do your events include more than one value of LevelMet?

Can you post some anonymised sample events?

0 Karma

Mary666
Communicator

Hi @ITWhisperer 

Here is an example of the code. So now I have the right percentage, but it shows up daily, results I see are like this:
I only need the percentage for the corresponding Date_Record not the same percentage daily...

Date_ RecordPercentage
01-Apr-202155.00
29-Mar-202155.00
30-Mar-202155.00

 

(index=abc   (dev=xyz event="startDoc"   )   OR ( dev=vbn lkp_doc_type=*  level="endDoc"   ))

| eval endDocTime=case(level="endDoc", TimeStamp)
startDocTime=case(event="sendDoc", RecordTime)

| stats earliest(startDocTime) as startDocTime latest(endDocTime) as endDocTime values(Duration) as Duration values(lkp_doc_type) as lkp_doc_type  dc(docNum) as TotalDocs values(Total) as Total  by docNum

| eval startTime = strptime(startDocTime,"%Y-%m-%d %H:%M:%S.%q"), endTime=strptime(endDocTime,"%Y-%m-%d %H:%M:%S.%q")

| where isNotNull(startDocTime)  AND isNotNull(endDocTime)

| eval Duration = (endTime-startTime) 

| eval DocValue=case(lkp_doc_type="Low", 1, lkp_doc_type="Medium", 2,  lkp_doc_type="High", 3)

| eval Doc_MetValue=if(Duration<=DocValue, "Success", "Failure")

| eval Total=case(Doc_MetValue="Failure", docNum)
This is where I start the percentage calculations: 

| eval Date_Record = strftime(strptime(endDocTime, "%Y-%m-%d"),"%d-%b-%Y")

| stats  dc(Total) as Failed_Doc dc(docNum) as Total_Docs_Received values(Date_Record) as Date_Record  ***I also tried doing by Date_Record here, but did not help***

| eval Percentage=round((Failed_Doc/Total_Docs_Received )*100,2)

| chart values(Percentage) as Percentage by Date_Record
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| stats earliest(startDocTime) as startDocTime latest(endDocTime) as endDocTime values(Duration) as Duration values(lkp_doc_type) as lkp_doc_type  dc(docNum) as TotalDocs values(Total) as Total  by docNum

values(Duration) as Duration seems redundant as you recalculate Duration later

dc(docNum) as TotalDocs seems redundant as you stats by docNum so the will always be 1, and isn't used later anyway

| eval Date_Record = strftime(strptime(endDocTime, "%Y-%m-%d"),"%d-%b-%Y")

| stats  dc(Total) as Failed_Doc dc(docNum) as Total_Docs_Received values(Date_Record) as Date_Record

If you want to group these by days, you could try this

| bin span=1d endDocTime
| stats  dc(Total) as Failed_Doc dc(docNum) as Total_Docs_Received by endDocTime
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...