Find the good/bad percentage of ERRORS above/below...

Splunk Search

Hi Experts,

As part of an new initiative looking at SLO metrics. I have created the below query which nicely counts the amount of errors per day over a 30 day window and also provides a nice average level on the same graph using an overlay for easy viewing.

earliest=-30d@d index=fx ERROR sourcetype=mysourcetype source="mysource.log"
| rex field=source "temp(?<instance>.*?)\/"
| stats count by _time instance
| timechart span=1d max(count) by instance
| appendcols [search earliest=-30d@d index=fx ERROR sourcetype=mysourcetype source="mysource.log"
| rex field=source "temp(?<instance>.*?)\/"
| stats count by _time instance
| stats avg(count) AS 30d_average]|filldown 30d_average

I wanted to somehow work out the percentage of good results (anything that is lower then the average value) and the percentage of bad results (above the average) and show in a stats table for each instance.

Help needed! thanks in advance

Theo

Get Updates on the Splunk Community!

Find the good/bad percentage of ERRORS above/below average

chart

count

eval

fields

stats

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Join the Conversation

Find the good/bad percentage of ERRORS above/below average