Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare success/failure by status

mwolfe
Engager
‎10-31-2024 05:00 PM

I've got data so:

"[clientip]  [host] - [time] [method] [uri_path] [status] [useragent]" ..  
and do the following search:

 

index=web  uri_path="/somepath" status="200" OR status="400"
| rex field=useragent "^(?<app_name>[^/]+)/(?<app_version>[^;]+)?\((?<app_platform>[^;]+); *"
| eval app=app_platform+" "+app_name+" "+app_version

 


I've split up the useragent just fine and verified the output. I want to now compare status  by "app".
So I've added the following:

 

| stats count by app, status

 


Which gives me:

appstatuscount

android app 1.0

2005000

ios app 2.0

4003

android app 1.1

200500

android app 1.0

40012

ios app 2.0

2003000


How can I compare, for a given "app" (combo of platform, name, version) the rate of success where success is when the response = 200 and failure if 400. I understand that I need to take success and divide by success + failure count.. But how do I combine this data? 
Also note that I need to consider that some apps may not have any 400 errors. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-01-2024 03:55 AM

Hi @mwolfe ,

don't use sum but count:

index=web  uri_path="/somepath" status="200" OR status="400"
| rex field=useragent "^(?<app_name>[^/]+)/(?<app_version>[^;]+)?\((?<app_platform>[^;]+); *"
| eval app=app_platform+" "+app_name+" "+app_version
| eval success=if(status=200,1,0)
| eval failure=if(status=400,1,0)
| stats 
     count(failure) AS fail_count
     count(success) AS success_count
     BY app
| eval success_rate=round((success_count / (success_count + fail_count))*100,1)
| table app success_rate

otherwise, you could insert the eval in the stats:

index=web  uri_path="/somepath" status="200" OR status="400"
| rex field=useragent "^(?<app_name>[^/]+)/(?<app_version>[^;]+)?\((?<app_platform>[^;]+); *"
| eval app=app_platform+" "+app_name+" "+app_version
| stats 
     count(eval(status=400)) AS fail_count
     count(eval(status=200)) AS success_count
     BY app
| eval success_rate=round((success_count / (success_count + fail_count))*100,1)
| table app success_rate

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mwolfe
Engager
‎10-31-2024 05:54 PM

I think I got it 

| eval success=if(status=200,1,0)
| eval failure=if(status=400,1,0)
| stats sum(failure) as fail_sum, sum(success) as success_sum by app
| eval success_rate=round((success_sum / (success_sum + fail_sum))*100,1)
| table app, success_rate
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-01-2024 04:58 AM

You can also check out two nice commands - xyseries and untable which can be used to (de)tabularize such data series.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-01-2024 03:55 AM

Hi @mwolfe ,

don't use sum but count:

index=web  uri_path="/somepath" status="200" OR status="400"
| rex field=useragent "^(?<app_name>[^/]+)/(?<app_version>[^;]+)?\((?<app_platform>[^;]+); *"
| eval app=app_platform+" "+app_name+" "+app_version
| eval success=if(status=200,1,0)
| eval failure=if(status=400,1,0)
| stats 
     count(failure) AS fail_count
     count(success) AS success_count
     BY app
| eval success_rate=round((success_count / (success_count + fail_count))*100,1)
| table app success_rate

otherwise, you could insert the eval in the stats:

index=web  uri_path="/somepath" status="200" OR status="400"
| rex field=useragent "^(?<app_name>[^/]+)/(?<app_version>[^;]+)?\((?<app_platform>[^;]+); *"
| eval app=app_platform+" "+app_name+" "+app_version
| stats 
     count(eval(status=400)) AS fail_count
     count(eval(status=200)) AS success_count
     BY app
| eval success_rate=round((success_count / (success_count + fail_count))*100,1)
| table app success_rate

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-01-2024 10:01 AM

Hi @mwolfe ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...