Splunk Search

How can I compare the ratio of errors to 10 minutes ago for all our app_pools?

daniel333
Builder

I would like to get a ratio of errors by app_pool, and then compare it to 5, 10, 1hr ago?

tag=java | 
stats count as "Events" by app_pool | 
appendcols [search 
tag=java tag=problem |
stats count as "Problems" by app_pool]

I am thinking a running summary index counting errors and counting events by app_pool, then a search which compares things after the fact? Is there a better way to do this?

0 Karma

woodcock
Esteemed Legend

You need the timewrap app:

https://splunkbase.splunk.com/app/1645/

0 Karma

sundareshr
Legend

Try this

tag=java earliest=@d | timechart span=1h count as Events count(eval(tag=problem)) as Problems | eval ratio=round(Problems/Events, 2)
0 Karma

daniel333
Builder

Hmm, the evals there don't seem to work. Returning nothing.

0 Karma

sundareshr
Legend

Sorry, problem needs to be in quotes. count(eval(tag="problem"))

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...