Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Diff the counts in correlated queries
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am very new to Splunk.
I have two log files, the first one, let's call it accessLog, contains the access log for the http requests
A splunk query could give me the count for each request.
url count
http://host1/query1 10
http://host1/query2 20
The second log file, let's call it errorLog, contains only error for the request, the line contains a keyword of the url.
A Splunk query could give me the result:
keyword errorCount
query1 2
query2 8
I want to calculate the success ratio for each request:
URL success ratio
http://host1/query1 80%
http://host2/query2 60%
It could be described as the following sql
Select url, count(url), (count(url) - (select (count (keyword) from ErrorLog where url is like '%keyword%'))/count(url) as successRatio
From accessLog
group by url
Could this be done in a Splunk query?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| rename COMMENT as "First search"
| eval _raw="url count
http://host1/query1 10
http://host1/query2 20"
| multikv forceheader=1
| table url count
| append
[| makeresults
| rename COMMENT as "Second search"
| eval _raw="keyword errorCount
query1 2
query2 8"
| multikv forceheader=1
| table keyword errorCount]
| eval tmp=mvindex(split(url,"/"),-1)
| eval key=coalesce(keyword,tmp)
| selfjoin key
| eval "success ratio"=(1-errorCount/count)*100
| table url "success ratio"But
index=yours (sourcetype=AccessLog OR (sourcetype=ErrorLog "keyword"))
and aggregate with stats command
This is Splunk way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| rename COMMENT as "First search"
| eval _raw="url count
http://host1/query1 10
http://host1/query2 20"
| multikv forceheader=1
| table url count
| append
[| makeresults
| rename COMMENT as "Second search"
| eval _raw="keyword errorCount
query1 2
query2 8"
| multikv forceheader=1
| table keyword errorCount]
| eval tmp=mvindex(split(url,"/"),-1)
| eval key=coalesce(keyword,tmp)
| selfjoin key
| eval "success ratio"=(1-errorCount/count)*100
| table url "success ratio"But
index=yours (sourcetype=AccessLog OR (sourcetype=ErrorLog "keyword"))
and aggregate with stats command
This is Splunk way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works like a charm. thanks again.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
