Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I quantify the intermittent failure of a regular event?

dreeck
Path Finder
‎09-20-2016 10:38 AM

My logs contain records of scheduled events. Sometimes the events fail, usually in 1 of 2 modes: systematic - once they fail they always fail (until corrected) or intermittent (they fail, the succeed, succeed, succeed, then fail fail fail then succeed). I'd like to produce a report that shows
- per time period (say a day)
- for all events belonging to a schedule
- how intermittently are the scheduled events failing
- what percentage of events are failures

For example
For 1/1/2016
Schedule #1728 70% success 0% itermittency (for a schedule in which 30% of events were failures, and once the failures start they never stop)
Schedule #1821 70% success 100% intermittency (for a schedule in which 30% were failures, and after every failure the next event was a success)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-20-2016 11:19 AM

See if this gets your going

base search | eval score=if(status="success", 1, 0) | streamstats window=1 current=f values(score) as nscore by schedule | streamstats count(eval(score=nscore)) as c by schedule | stats count count(eval(status="success")) as success count(eval(status="fail")) as fail max(c) as inter by schedule | eval s_perc=success/count*100 | eval f_perc=fail/count*100 | eval i_perc=inter/fail

Basically, the higher the value for inter, the higher the intermitancy

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-20-2016 11:19 AM

See if this gets your going

base search | eval score=if(status="success", 1, 0) | streamstats window=1 current=f values(score) as nscore by schedule | streamstats count(eval(score=nscore)) as c by schedule | stats count count(eval(status="success")) as success count(eval(status="fail")) as fail max(c) as inter by schedule | eval s_perc=success/count*100 | eval f_perc=fail/count*100 | eval i_perc=inter/fail

Basically, the higher the value for inter, the higher the intermitancy

0 Karma
Reply
Solved! Jump to solution

dreeck
Path Finder
‎10-05-2016 10:44 PM

This is generating results for me, but I had to mess around a bit to get my JSON fields evaluated. Tip: for a JSON field, enclose the field name in single quotes, and the value in double quotes. eval score = if('json.field1'="banana", 1, 0) works. eval score = if(json.field1=banana, 1, 0) don't.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...