I have a query
index = "index1"
|spath output=error_code input=RAW_DATA path=MsgSts.Cd
|dedup SESSIONID
|stats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION
|eval Rate = round ((Error/Total)*100,2)
|search Rate>20
|table OPPERAION Rate Error
And the table is
OPERATION | Rate | Error
VerifyOTP | 24.08 | 310
Which is what I want because I want to know which OPERATION have more than 20% error rate in a certain time range.
But now the hard part, is I want an alert to send to my email the details of all 310 errors event that show above. Since I use stats command, the only information I got left is Total, Error, Rate and OPERATION.
How do I get the detail events when the rate hit >20% according to my search ?
Use eventstats
index = "index1"
|spath output=error_code input=RAW_DATA path=MsgSts.Cd
|dedup SESSIONID
|eventstats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION
|eval Rate = round ((Error/Total)*100,2)
|search Rate>20
Use eventstats
index = "index1"
|spath output=error_code input=RAW_DATA path=MsgSts.Cd
|dedup SESSIONID
|eventstats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION
|eval Rate = round ((Error/Total)*100,2)
|search Rate>20
Hi
can you try to uses values(filed1) ... values(fieldN) on your stats? It shows those all different values which fields contain as mv field. Probably not exactly what you are looking, but maybe enough?
If this is not what you want then you could try to use require-command to check if this query gives answer and then add those events? https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Require
r. Ismo