Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get the details events after using stats

phamxuantung
Communicator
‎08-12-2021 02:37 AM

I have a query

 

index = "index1"
|spath output=error_code input=RAW_DATA path=MsgSts.Cd
|dedup SESSIONID
|stats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION
|eval Rate = round ((Error/Total)*100,2)
|search Rate>20
|table OPPERAION Rate Error

 

And the table is

OPERATION | Rate   | Error

VerifyOTP     | 24.08 | 310

Which is what I want because I want to know which OPERATION have more than 20% error rate in a certain time range.
But now the hard part, is I want an alert to send to my email the details of all 310 errors event that show above. Since I use stats command, the only information I got left is Total, Error, Rate and OPERATION.

How do I get the detail events when the rate hit >20% according to my search ?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-12-2021 02:52 AM

Use eventstats

index = "index1"
|spath output=error_code input=RAW_DATA path=MsgSts.Cd
|dedup SESSIONID
|eventstats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION
|eval Rate = round ((Error/Total)*100,2)
|search Rate>20

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-12-2021 02:52 AM

Use eventstats

index = "index1"
|spath output=error_code input=RAW_DATA path=MsgSts.Cd
|dedup SESSIONID
|eventstats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION
|eval Rate = round ((Error/Total)*100,2)
|search Rate>20
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-12-2021 02:51 AM

Hi

can you try to uses values(filed1) ... values(fieldN) on your stats? It shows those all different values which fields contain as mv field. Probably not exactly what you are looking, but maybe enough?

If this is not what you want then you could try to use require-command to check if this query gives answer and then add those events? https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Require

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...