How to calculate Percentage of particular events o...

mrigank517 · ‎05-17-2019

I want to find the percent of events with the key word error out of all the events recorded during a time window
I have the following query in place but the result generated is 0.0000%

index=XXX "*" | stats count AS "Total", count(eval(eventMessage=="error")) AS Failure|eval Failurerate=(Failure/Total)*100|table Failurerate

somesoni2 · ‎05-17-2019

Give these a try

index=XXX "*" | stats count AS "Total", count(eval(searchmatch("error"),1,0)) AS Failure|eval Failurerate=(Failure/Total)*100|table Failurerate

OR

index=XXX "*" | stats count AS "Total", count(eval(match(eventMessage,"error"),1,0)) AS Failure|eval Failurerate=(Failure/Total)*100|table Failurerate

p_gurav · ‎05-17-2019

Try this:

index=XXX  | stats count AS "Total", sum(eval(if(eventMessage=="error", 1, 0))) AS Failure|eval Failurerate=(Failure/Total)*100|table Failurerate

mrigank517 · ‎05-17-2019

No luck, as discussed below eventMessage=="error" is not returning any results.

harsmarvania57 · ‎05-17-2019

Hi,

Please try below query

index=XXX "*" | stats count AS "Total", sum(eval(if(eventMessage="error",1,0))) AS Failure|eval Failurerate=(Failure/Total)*100|table Failurerate

mrigank517 · ‎05-17-2019

The query runs fine but the result generated is 0.
Ideally it should be above 0

harsmarvania57 · ‎05-17-2019

It looks like you don't have field extracted or space or any other character is present in eventMessage field

Can you please run below query and please let us know are you getting any output ?

index="xxx" eventMessage="error"

mrigank517 · ‎05-17-2019

Yeah you sensed it right this returns 0 result. But when searched with the following query the results are populated.

index="xxx" error

harsmarvania57 · ‎05-17-2019

Yes because you are searching error word in raw data, however query which I have provided specifically search error word in eventMessage field, so you need to fix your field extraction first then query which I have provided will work.

mrigank517 · ‎05-17-2019

Any hints on how to get the field extracted or to run this through raw data?

harsmarvania57 · ‎05-17-2019

If you can provide some sample raw data (please mask sensitive data) then we can write regular expression to extract data in field and then use that field in stats.

mrigank517 · ‎05-17-2019

My karma wont allow me to attach the file.

This is the next best i could do with raw data.

40.22% 6544 timestamp ERROR Application error.
21.84% 7072 timestamp ERROR [Brandify] GetNearestRestaurants: The operation has timed out
7.07% 3380 timestamp ERROR Cannot create tracker.
6.79% Message: Error while rendering view: 'xxx.cshtml' (model: 'Sitecore.Mvc.Presentation.RenderingModel, Sitecore.Mvc').
2.85% 4308 timestamp ERROR CreateAccount failed. Time elapsed: 00:00:00.042, ErrorCode: 110, ErrorMessage: Duplicate email address
1.73% 3896 timestamp ERROR Cannot finish Analytics page tracking
1.34% 3752 timestamp ERROR MediaRequestProtection: An invalid/missing hash value was encountered. The expected hash value: 8A206C19591658B84F4EDE5F513B9A007EF9056A. Media URL: /-/media/header/XXXXXXXXXXX.ashx?h=339&w=1472&la=en&hash=%2527%2520%25278%2527%2520%2527A206C19591658B84F4EDE5F513B9A007EF9056A%2527%2520%2527%2527%2520%2527, Referring URL:
0.57% 1404 timestamp ERROR System.OperationCanceledException: The operation was canceled.
0.36% Message: Error converting value {null} to type 'System.Single'. Path '[0].latitude', line 1, position 34.
0.22% Message: The remote server returned an error: (504) Gateway Timeout.

How to calculate Percentage of particular events out of total events.

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...