Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I make a Splunk query to get percentage by the fields testName and experience?

saifullakhalid
Explorer
‎12-04-2018 08:58 AM

I tried working on this, but I was unsuccessful. Here is my query and the logs:

Query:

source=“/var/log/*.log” platform testName testId experience | stats count as trafficSplit by platform  testId testName experience

Currently, the query works fine but it gives me count, I need in percentage by test name and experience.

For example, for testName=ProductCategorySort, how much % of RR and EVG experience, similarly for testName= ProductPageRedesign, how much percentage of A and B experience.

platform    testId       testName                    experience          trafficSplit
Internal    facet1          facetedLeftNav         E1:FACET_OFF            1
Internal    pcs1            pcsCategorySort         E2:EVG                     1
Target  229352:0:0  ProductCategorySort         RR                        658
Target  229352:1:0  ProductCategorySort       EVG                         563
Target  234792:0:0  ProductPageRedesign        A                             5
Target  234792:1:0  ProductPageRedesign.         B                          1

expected output :

platform    testId      testName                     experience          Percent trafficSplit
Internal    facet1          facetedLeftNav        E1:FACET_OFF             50
Internal    pcs1            pcsCategorySort      E2:EVG                   50
Target  229352:0:0  ProductCategorySort         RR                            50
Target  229352:1:0  ProductCategorySort       EVG                              60
Target  234792:0:0  ProductPageRedesign        A                              99
Target  234792:1:0  ProductPageRedesign.       B                               1

logs:

04 Dec 2018 16:24:46,806 INFO  [com.khp.abtest.services.AdobeTargetService] (http-nio-8080-exec-5) {ADOBE_SESSION_ID=798797979, DYN_USER_ID=7668768687, JSESSIONID=jlkjlkjlkjll, MBOX_IDS=[ProductCategorySort], REQUEST_URL=http://perf.company.com/c/gifts-crazy-good-gifts-cat89899?navpath=cat000000_cat000672_cat878787878, THIRDPARTY_ID=UNKNOWN, TLTSID=192636DAhghjgjgjgjhB02F913F1AF7, TNT_ID=f85201bb11d2403ca392b83423298f97.28_97, TRACE_ID=hjhjhjhj-2eaf-429e-a3c0-jbjhjhghgh, TRUE_CLIENT_IP=UNKNOWN} platform="Target",testNames="ProductCategorySort",[testName="ProductCategorySort",testId="229352:0:0",experience="RR"]


04 Dec 2018 16:24:33,979 INFO  [com.khp.abtest.services.AdobeTargetService] (http-nio-8080-exec-9) {ADOBE_SESSION_ID=5c20e4764576576570ae4820dd, DYN_USER_ID=878788787, JSESSIONID=gjhghjgjhgjhgj, MBOX_IDS=[ProductCategorySort], REQUEST_URL=http://perf.company.com/c/shoes-all-designerperf.company.com90746?navpath=cat000000_cat000141_cat787878_cat47878, THIRDPARTY_ID=UNKNOWN, TLTSID=jhjhjhjhjhjhjhjhj, TNT_ID=5c20e23085804997b7d81b20ae4820dd.17_70, TRACE_ID=7605fd4c-7a2d-4b3e-b7eb-6f5c8580c0a9, TRUE_CLIENT_IP=UNKNOWN} platform="Target",testNames="ProductCategorySort",[testName="ProductCategorySort",testId="229352:1:0",experience="EVG"]

04 Dec 2018 16:16:20,619 INFO  [com.khp.abtest.services.AdobeTargetService] (http-nio-8080-exec-7) {ADOBE_SESSION_ID=0a53b4774f644812896db1daf6ed9a17, DYN_USER_ID=798989 JSESSIONID=jkjlkjljljlkjkl, MBOX_IDS=[truefitABTest,ProductPageRedesign], REQUEST_URL=http://localhost:3000/p/ugg-sequined-sparkles-wool-lined-boot-prod898989?childItemId=NCX20U4_07&adobeQA=1072_pdpred_B, THIRDPARTY_ID=UNKNOWN, TLTSID=jhkjjjkhkhkhk, TNT_ID=hjkhkhjkhjkhkjhk5ded6c83.28_91, TRACE_ID=620d5c39-27c9-8989-a65c-40hjjjjhjb6, TRUE_CLIENT_IP=UNKNOWN} platform="Target",testNames="truefitABTest,ProductPageRedesign",[],[testName="ProductPageRedesign",testId="234792:1:0",experience="B"]
Tags (1)
0 Karma
Reply

bjoernjensen
Contributor
‎12-04-2018 01:10 PM

Hey,

you might want to have a look into eventstats:
http://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Eventstats

Having some counted stats data by topicA and topicB, you could easily calculate a percentage by topicA:

index = _internal sourcetype=splunkd component=*process*
| stats count by log_level component
| eventstats sum(count) as count_total by component
| eval percent = round((100/count_total)*count,1)
| sort component
| table component log_level percent count

Hope that helps,
Björn

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...