Splunk Search

Get the details events after using stats

phamxuantung
Communicator

I have a query

 

index = "index1"
|spath output=error_code input=RAW_DATA path=MsgSts.Cd
|dedup SESSIONID
|stats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION
|eval Rate = round ((Error/Total)*100,2)
|search Rate>20
|table OPPERAION Rate Error

 

And the table is

OPERATION | Rate   | Error

VerifyOTP     | 24.08 | 310

Which is what I want because I want to know which OPERATION have more than 20% error rate in a certain time range.
But now the hard part, is I want an alert to send to my email the details of all 310 errors event that show above. Since I use stats command, the only information I got left is Total, Error, Rate and OPERATION.

How do I get the detail events when the rate hit >20% according to my search ?

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Use eventstats

index = "index1"
|spath output=error_code input=RAW_DATA path=MsgSts.Cd
|dedup SESSIONID
|eventstats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION
|eval Rate = round ((Error/Total)*100,2)
|search Rate>20

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Use eventstats

index = "index1"
|spath output=error_code input=RAW_DATA path=MsgSts.Cd
|dedup SESSIONID
|eventstats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION
|eval Rate = round ((Error/Total)*100,2)
|search Rate>20

isoutamo
SplunkTrust
SplunkTrust

Hi

can you try to uses values(filed1) ... values(fieldN) on your stats? It shows those all different values which fields contain as mv field. Probably not exactly what you are looking, but maybe enough?

If this is not what you want then you could try to use require-command to check if this query gives answer and then add those events? https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Require

r. Ismo

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...