Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to build a Splunk search to build a table for PASS and FAIL percentage?

super_edition
Path Finder
‎05-30-2023 05:57 AM

Hello Everyone,

This is the extension of previous query which I posted- https://community.splunk.com/t5/Splunk-Search/How-would-I-write-a-Splunk-search-to-build-a-table-for...

Thanks to @ITWhisperer  and updated query worked well.

Now I am trying to add percentage column for PASS and FAIL, instead of the count:

_time success fail
2023-05-28 03:00 98 2
2023-05-28 04:00 60 40
2023-05-28 05:00 100 0

 

I was trying to build a query, something like this:

 

 

index=my_index sourcetype=openshift_logs openshift_namespace=my_ns  openshift_cluster="cluster009"
("message.statusCode"=2* OR "message.statusCode"=4*) 
| eval status=if('message.statusCode'>300,"fail","success")
| search "message.logType"=CLIENT_RES 
| search "message.url"="/shopping/carts/*"  
```| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by status```
| eventstats count("message.tracers.ek-correlation-id{}") as totalCount
| eventstats count("message.tracers.ek-correlation-id{}") as individualCount by status
| eval percent=(individualCount/totalCount)*100

 

 

I know the above query is incomplete and not sure if this the right way to proceed.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2023 12:22 AM

Just overwrite the success and fail fields

index=my_index sourcetype=openshift_logs openshift_namespace=my_ns  openshift_cluster="cluster009"
("message.statusCode"=2* OR "message.statusCode"=4*) 
| eval status=if('message.statusCode'>300,"fail","success")
| search "message.logType"=CLIENT_RES 
| search "message.url"="/shopping/carts/*"
| timechart span=1h dc("message.tracers.correlation-id{}") as count by status pct
| addtotals
| eval success=round(100*success/Total,1)
| eval fail=round(100*fail/Total,1)

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-30-2023 06:17 AM

Instead of the last 3 lines, try this

| addtotals
| eval successpercent=100*success/Total
0 Karma
Reply
Solved! Jump to solution

super_edition
Path Finder
‎05-30-2023 10:29 PM

Hello @ITWhisperer 

I am getting the below data as the result:

super_edition_0-1685510734485.png

index=my_index sourcetype=openshift_logs openshift_namespace=my_ns  openshift_cluster="cluster009"
("message.statusCode"=2* OR "message.statusCode"=4*) 
| eval status=if('message.statusCode'>300,"fail","success")
| search "message.logType"=CLIENT_RES 
| search "message.url"="/shopping/carts/*"
| timechart span=1h dc("message.tracers.correlation-id{}") as count by status pct
| addtotals
| eval successpercent=round(100*success/Total,1)
| eval failpercent=round(100*fail/Total,1)

But I am looking for only successpercent and failpercent to be displayed in the table.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2023 12:22 AM

Just overwrite the success and fail fields

index=my_index sourcetype=openshift_logs openshift_namespace=my_ns  openshift_cluster="cluster009"
("message.statusCode"=2* OR "message.statusCode"=4*) 
| eval status=if('message.statusCode'>300,"fail","success")
| search "message.logType"=CLIENT_RES 
| search "message.url"="/shopping/carts/*"
| timechart span=1h dc("message.tracers.correlation-id{}") as count by status pct
| addtotals
| eval success=round(100*success/Total,1)
| eval fail=round(100*fail/Total,1)
Reply
Solved! Jump to solution

super_edition
Path Finder
‎05-30-2023 10:33 PM

this command helped:

|fields _time successpercent failpercent

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...