Hi, suppose my events contain this field with two possible values:
Ok=True or
Ok=False
Every hour, I'll have a certain number ('TTT') of True values and a certain number ('FFF') of False values.
I want to create a chart that shows the failure rate (FFF/(TTT+FFF)) for any given time bucket size.
Is that possible please?
Thanks in advance.
Like this:
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| bin _time span=1h
| chart count BY _time Ok
| eval pct=100*False/(False+True)
| timechart span=1h first(pct) AS pct
Like this:
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| bin _time span=1h
| chart count BY _time Ok
| eval pct=100*False/(False+True)
| timechart span=1h first(pct) AS pct
I had a mistake and edited my answer to fix it. Try again.
This is perfect, thanks! Works like a charm!
Yep. Do this |eval rate = (FFF/(TTT+FFF)) | timechart span=1h avg(rate) as rate
You can set span to whatever you want.
Sorry, I'm still a noob when it comes to splunk, but how would I actually obtain the queries for FFF and TTT?
I tried various combinations of this (and the answer below) but nothing gets charted