- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to calculate failure percentage?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to create a dashboard which shows % availability over a set period of time. I am trying to calculate all calls - 5xx failures - 400 failures.
However, I am not sure if 400 failures are also being counted in the successful call line and if other 4xx failures are included in the fourHundredFail line. Is the below the correct way to calculate this? Thank you for your help!
vhost="mainbrand"
| eval successfulCall=if('httpstatus'=200 OR 'httpstatus'=201 OR 'httpstatus'=204 OR 'httpstatus'=401 OR 'httpstatus'=403 OR'httpstatus'=404 OR 'httpstatus'=422 OR 'httpstatus'=429,1,0)
| eval fourHundredFail=if('httpstatus'=400, 1,0)
| eval technicalFail=if(match(substr('httpstatus',1,1),"5") ,1,0)
| eval totalSuccesfulCalls = successfulCall-fourHundredFail-technicalFail
| stats sum(successfulCall) as "2xx_or_4xx_Calls" sum(fourHundredFail) as "400_Failures" sum(technicalFail) as "5xx_Failures" sum(totalSuccesfulCalls) as "Total_Successful_Calls" by vhost
| eval percentageAvailability=(('Total_Successful_Calls'/'2xx_or_4xx_Calls')*100)
| eval percentageAvailability=round('percentageAvailability', 2)
| table vhost, "2xx_or_4xx_Calls","400_Failures", "5xx_Failures", "Total_Successful_Calls", percentageAvailability
| appendpipe [stats avg(percentageAvailability) as averagePercentage]
| eval averagePercentage=round('averagePercentage', 2)
| sort by "percentageAvailability" asc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Rgru wrote:Hi,
In this line, are any 400 failures being included?
eval successfulCall=if('httpstatus'=200 OR 'httpstatus'=201 OR 'httpstatus'=204 OR 'httpstatus'=401 OR 'httpstatus'=403 OR'httpstatus'=404 OR 'httpstatus'=422 OR 'httpstatus'=429,1,0)
No. There is one httpstatus per event, so successfulCall is set if it equals any of the values you have listed
And in this line are any calls other than those which are 400 being included?
eval fourHundredFail=if('httpstatus'=400, 1,0)
No
Full query below:
| eval allCalls = successfulCall + fourHundredFail + technicalFail
| eval allFailures = fourHundredFail + technicalFail
| eval totalSuccesfulCalls = allCalls-allFailures
These lines are not necessary - allCalls will always be one - (unless httpstatus is NOT any of the tests you make at the start). You should do this calculation in the stats command
| stats sum(allCalls) as "Total no. calls" sum(successfulCall) as "2xx_or_4xx_Calls" sum(allFailures) as "Total no. failures" sum(fourHundredFail) as "400_Failures" sum(technicalFail) as "5xx_Failures" sum(totalSuccesfulCalls) as "Total_Successful_Calls" by vhost
| stats count "Total no. calls" sum(successfulCall) as "2xx_or_4xx_Calls" sum(fourHundredFail) as "400_Failures" sum(technicalFail) as "5xx_Failures" by vhost
| eval "Total no. failures" = '400_Failures' + '5xx_Failures'
| eval "Total_Successful_Calls" = '2xx_or_4xx_Calls'
I think you are getting confused with the pipeline - you shouldn't do any calculations before the stats, they are not doing anything. All you need to do before the stats is to 'categorise' the event as you are doing with first 3 eval statements.
In the above stats, you calculate total calls (using 'count' to count all events). Then sum your successful calls/400s/5xx
AFTER that you can then calculate failures, which is simply 400 + 5xx and from what I can gather, successful calls is the same as 2xx or 4xx calls.
|eval percentageAvailability=(('Total_Successful_Calls'/'Total no. calls')*100)
|eval percentageAvailability=round('percentageAvailability', 2)
|table vhost, "Total no. calls", "2xx_or_4xx_Calls", "Total no. failures", "400_Failures", "5xx_Failures", percentageAvailability
|appendpipe [stats avg(percentageAvailability) as averagePercentage]
|eval averagePercentage=round('averagePercentage', 2)
|sort by "percentageAvailability" ascThanks very much for your help, it is much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you! You are correct, I had miscalculated this. I have changed the query so it minuses 400 and 5xx failures from all calls (not just successful). It is a little longwinded but it shows the workings. Noted about the substr being unnecessary too, thank you for pointing it out.
In this line, are any 400 failures being included?
eval successfulCall=if('httpstatus'=200 OR 'httpstatus'=201 OR 'httpstatus'=204 OR 'httpstatus'=401 OR 'httpstatus'=403 OR'httpstatus'=404 OR 'httpstatus'=422 OR 'httpstatus'=429,1,0)
And in this line are any calls other than those which are 400 being included?
eval fourHundredFail=if('httpstatus'=400, 1,0)
Full query below:
vhost="brand"
| eval successfulCall=if('httpstatus'=200 OR 'httpstatus'=201 OR 'httpstatus'=204 OR 'httpstatus'=401 OR 'httpstatus'=403 OR'httpstatus'=404 OR 'httpstatus'=422 OR 'httpstatus'=429,1,0)
| eval fourHundredFail=if('httpstatus'=400, 1,0)
| eval technicalFail=if(match(substr('httpstatus',1,1),"5") ,1,0)
| eval allCalls = successfulCall + fourHundredFail + technicalFail
| eval allFailures = fourHundredFail + technicalFail
| eval totalSuccesfulCalls = allCalls-allFailures
| stats sum(allCalls) as "Total no. calls" sum(successfulCall) as "2xx_or_4xx_Calls" sum(allFailures) as "Total no. failures" sum(fourHundredFail) as "400_Failures" sum(technicalFail) as "5xx_Failures" sum(totalSuccesfulCalls) as "Total_Successful_Calls" by vhost
|eval percentageAvailability=(('Total_Successful_Calls'/'Total no. calls')*100)
|eval percentageAvailability=round('percentageAvailability', 2)
|table vhost, "Total no. calls", "2xx_or_4xx_Calls", "Total no. failures", "400_Failures", "5xx_Failures", percentageAvailability
|appendpipe [stats avg(percentageAvailability) as averagePercentage]
|eval averagePercentage=round('averagePercentage', 2)
|sort by "percentageAvailability" asc
Thanks very much for your help, it is much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Amazing! Thanks so much for your help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Rgru wrote:Hi,
In this line, are any 400 failures being included?
eval successfulCall=if('httpstatus'=200 OR 'httpstatus'=201 OR 'httpstatus'=204 OR 'httpstatus'=401 OR 'httpstatus'=403 OR'httpstatus'=404 OR 'httpstatus'=422 OR 'httpstatus'=429,1,0)
No. There is one httpstatus per event, so successfulCall is set if it equals any of the values you have listed
And in this line are any calls other than those which are 400 being included?
eval fourHundredFail=if('httpstatus'=400, 1,0)
No
Full query below:
| eval allCalls = successfulCall + fourHundredFail + technicalFail
| eval allFailures = fourHundredFail + technicalFail
| eval totalSuccesfulCalls = allCalls-allFailures
These lines are not necessary - allCalls will always be one - (unless httpstatus is NOT any of the tests you make at the start). You should do this calculation in the stats command
| stats sum(allCalls) as "Total no. calls" sum(successfulCall) as "2xx_or_4xx_Calls" sum(allFailures) as "Total no. failures" sum(fourHundredFail) as "400_Failures" sum(technicalFail) as "5xx_Failures" sum(totalSuccesfulCalls) as "Total_Successful_Calls" by vhost
| stats count "Total no. calls" sum(successfulCall) as "2xx_or_4xx_Calls" sum(fourHundredFail) as "400_Failures" sum(technicalFail) as "5xx_Failures" by vhost
| eval "Total no. failures" = '400_Failures' + '5xx_Failures'
| eval "Total_Successful_Calls" = '2xx_or_4xx_Calls'
I think you are getting confused with the pipeline - you shouldn't do any calculations before the stats, they are not doing anything. All you need to do before the stats is to 'categorise' the event as you are doing with first 3 eval statements.
In the above stats, you calculate total calls (using 'count' to count all events). Then sum your successful calls/400s/5xx
AFTER that you can then calculate failures, which is simply 400 + 5xx and from what I can gather, successful calls is the same as 2xx or 4xx calls.
|eval percentageAvailability=(('Total_Successful_Calls'/'Total no. calls')*100)
|eval percentageAvailability=round('percentageAvailability', 2)
|table vhost, "Total no. calls", "2xx_or_4xx_Calls", "Total no. failures", "400_Failures", "5xx_Failures", percentageAvailability
|appendpipe [stats avg(percentageAvailability) as averagePercentage]
|eval averagePercentage=round('averagePercentage', 2)
|sort by "percentageAvailability" ascThanks very much for your help, it is much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your line
| eval totalSuccesfulCalls = successfulCall-fourHundredFail-technicalFailAssuming all httpstatus are catered for in your query, then this will either be 1 (if it was a 2x or 4x call, but not 400), or it will be -1 (if it was 400 or 5*)
So, if you had 2 calls and one was a 200 and the other a 500, the sum of this field in the stats command would be 0. That does not seem right.
How is this number supposed to differ from the sum of successfulCall?
Also, note that your 5xx match statement does not need substr if you just match the start of the string
| eval technicalFail=if(match('httpstatus',"^5") ,1,0)
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
Introducing the Splunk Community Dashboard Challenge!
