index=alarm* host="" Message.EventCategory="Error" OR "ERROR" | stats count as Error| eval Events= [search "" | stats count as search] | eval "Error Percentage" = (Error/Events)*100 | fields Events Error "Error Percentage"
Any helps would be very welcome.
Thanks
Sean
Try this:
index=alarm* host="*" Message.EventCategory="Error" OR "ERROR" | timechart count as error
| appendcols [tstats count by _time prestats=t | timechart count]
| eval Error Percentage = error / count * 100 | fields - error count
Try this:
index=alarm* host="*" Message.EventCategory="Error" OR "ERROR" | timechart count as error
| appendcols [tstats count by _time prestats=t | timechart count]
| eval Error Percentage = error / count * 100 | fields - error count
Yeah, 5.0 had a less feature-rich first version of tstats
. I highly recommend upgrading!
Use this while on 5.0:
index=alarm* host="*" Message.EventCategory="Error" OR "ERROR" | timechart count as error
| appendcols [| metasearch * | timechart count]
| eval Error Percentage = error / count * 100 | fields - error count
Hi Martin,
Thanks for the quick reply. I have tried to run this but it throws the following error:-
Error in 'TsidxStats': Missing 'FROM' keyword to specify namespace.
I am still looking at this but do you have any ideas?
Thanks
Sean
Hi Martin,
I changed it slightly to suit my needs but many thanks for your help.
index=alarm* host="" Message.EventCategory="Error" OR "ERROR" | stats count as Error| eval Events= [search "" | stats count as search] | eval "Error Percentage" = (Error/Events)*100 | fields Events Error "Error Percentage"
Hi Martin,
It appears that my version of Splunk (5.0.5, build 179365) will not work with tstats as this was introduced in version 6.
I have amended the search as below:
index=* host="*" Message.EventCategory="Error" OR "ERROR" | timechart count as Error | appendcols [stats count by _time |
timechart count] | eval "Error Percentage" = error / count * 100 | fields Error Count Percentage
but this only brings back results for the errors 😞