Solved: How to create a search that calculates percentage ...

Bliide · ‎06-05-2014

New Splunk user. I am creating web dashboards and I want to calculate the percentage of successful status codes. The logs are IIS. I am trying to create a search that takes the total status codes (sc_status="*") and divides by the successful status codes (sc_status<=400). I am just trying to create a single value quick reference that shows the percentage of success. I know I need to use eval to define the fields but I am having problems understanding how to put the different values together. When I do the following search I get No results found.

| stats count(eval(sc_status="*")) AS total, count(eval(sc_status<=400)) AS success | eval percent_difference=((success/total)*100) | table percent_difference

somesoni2 · ‎06-05-2014

Try this

Your base search | stats count(sc_status) AS total, count(eval(sc_status<=400)) AS success | eval percent_difference=((success/total)100) | table percent_difference

View solution in original post

somesoni2 · ‎06-05-2014

Try this

Your base search | stats count(sc_status) AS total, count(eval(sc_status<=400)) AS success | eval percent_difference=((success/total)100) | table percent_difference

Bliide · ‎06-05-2014

Thanks for the quick reply, working great now!

How to create a search that calculates percentage from 2 different values in the same field.

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users