Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get the details events after using stats

phamxuantung
Communicator
‎08-12-2021 02:37 AM

I have a query

 

index = "index1"
|spath output=error_code input=RAW_DATA path=MsgSts.Cd
|dedup SESSIONID
|stats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION
|eval Rate = round ((Error/Total)*100,2)
|search Rate>20
|table OPPERAION Rate Error

 

And the table is

OPERATION | Rate   | Error

VerifyOTP     | 24.08 | 310

Which is what I want because I want to know which OPERATION have more than 20% error rate in a certain time range.
But now the hard part, is I want an alert to send to my email the details of all 310 errors event that show above. Since I use stats command, the only information I got left is Total, Error, Rate and OPERATION.

How do I get the detail events when the rate hit >20% according to my search ?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-12-2021 02:52 AM

Use eventstats

index = "index1"
|spath output=error_code input=RAW_DATA path=MsgSts.Cd
|dedup SESSIONID
|eventstats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION
|eval Rate = round ((Error/Total)*100,2)
|search Rate>20

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-12-2021 02:52 AM

Use eventstats

index = "index1"
|spath output=error_code input=RAW_DATA path=MsgSts.Cd
|dedup SESSIONID
|eventstats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION
|eval Rate = round ((Error/Total)*100,2)
|search Rate>20
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-12-2021 02:51 AM

Hi

can you try to uses values(filed1) ... values(fieldN) on your stats? It shows those all different values which fields contain as mv field. Probably not exactly what you are looking, but maybe enough?

If this is not what you want then you could try to use require-command to check if this query gives answer and then add those events? https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Require

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...