Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a time chart of HTTP error codes as a percentage of a total using rangemap, excluding httpcode=200 from the chart?

JDukeSplunk
Builder
‎10-17-2016 12:49 PM

I am trying to display the percentage of a rangemap as related to the total events while excluding the httpcode=200 from the chart.
I don't have to use a rangemap, but it would help to make the chart a little cleaner. Basically, I want to do this, without the 200's, in a timechart.

alt text

So far, what I have is this.

index=application (host=TTAPPPEGACC*) sourcetype="apollo:prod:tomcat_access" 
| rangemap field=httpcode 200=200-299,300=300-399,400=400-499,500=500-599 
|bucket _time span=1m
|eventstats count(httpcode) as Total by _time
Preview file
75 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎10-18-2016 10:23 AM

Sundareshr put me on the right track, and I am interested on playing with foreach a little more.

Here is what I ended up with. This is for a dashboard with time exclusion logic for maintance windows, which is why there is a eval hours and |where (NOT hours=. 

index=application (host=TTAPPPEGACC*) sourcetype="apollo:prod:tomcat_access" 
|eval hours=strftime(_time, "%H")
|where (NOT hours=25 AND NOT hours=12 AND NOT hours=1 AND NOT hours=2)
|rangemap field=httpcode http_200=200-299,http_300=300-399,http_400=400-499,http_500=500-599   
|bucket _time span=1h 
|chart count over _time by range 
|addtotals 
|timechart span=1h values(eval(http_400*100/Total)) AS 400s, values(eval(http_500*100/Total)) AS 500s

Which, if anyone is curious looks like this.

alt text

View solution in original post

Preview file
55 KB
0 Karma
Reply
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎10-18-2016 10:23 AM

Sundareshr put me on the right track, and I am interested on playing with foreach a little more.

Here is what I ended up with. This is for a dashboard with time exclusion logic for maintance windows, which is why there is a eval hours and |where (NOT hours=. 

index=application (host=TTAPPPEGACC*) sourcetype="apollo:prod:tomcat_access" 
|eval hours=strftime(_time, "%H")
|where (NOT hours=25 AND NOT hours=12 AND NOT hours=1 AND NOT hours=2)
|rangemap field=httpcode http_200=200-299,http_300=300-399,http_400=400-499,http_500=500-599   
|bucket _time span=1h 
|chart count over _time by range 
|addtotals 
|timechart span=1h values(eval(http_400*100/Total)) AS 400s, values(eval(http_500*100/Total)) AS 500s

Which, if anyone is curious looks like this.

alt text

Preview file
55 KB
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-17-2016 01:03 PM

Try this

index=application (host=TTAPPPEGACC*) sourcetype="apollo:prod:tomcat_access" 
 | rangemap field=httpcode 200=200-299,300=300-399,400=400-499,500=500-599 
 |bucket _time span=1m
 | chart count over _time by range 
 | addtotals
 | foreach *00 [ eval perc_<<MATCHSTR>>00=ROUND((<<FIELD>>/Total)*100), 0) ]
 | table _time perc*
0 Karma
Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎10-18-2016 07:13 AM

Thanks for the response Sundareshr,
The foreach, eval logic is failing, maybe it cannot identify the field *00 since it is generated by rangemap and does not show as standalone fields, but as values of a field named "range".

"Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression"

I'd like to get it working, since I have never used foreach before, and would like to use it to shorten some of my longer searches with repeating eval logic.

I've used something similar in the past to generate percentages, that involved inserting a stats command, and then multiple eval's to generate the percentages. It was basicly lifted from this Answer here.

https://answers.splunk.com/answers/301823/how-to-search-the-percentage-and-count-of-total-by.html

0 Karma
Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎10-18-2016 07:34 AM

So this brings back results, I yanked out the round logic. But the numbers are very wrong.

index=application (host=TTAPPPEGACC*) sourcetype="apollo:prod:tomcat_access" httpcode=*
| rangemap field=httpcode 200=200-299,300=300-399,400=400-499,500=500-599 
|bucket _time span=1m
| chart count over _time by range 
| addtotals
| foreach *00 [ eval perc_<<MATCHSTR>>00=(<<FIELD>>/Total)*100 ]

We see here that 500 for the range is 0, but the percentage shows as 39%

200 300 400 500 perc_200 perc_300 perc_400 perc_500 Total
1009 14 0 0 19.550342 29.325513 39.100684 48.875855 1023

0 Karma
Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎10-18-2016 10:01 AM

I figured out what was wrong with the numbers. Because the range names were numbers themselves, splunk was taking the range name as a string.

So... Total / 200 * 100 =
Which in the case of the previous example is
1023 / 200 * 100 = 19.55....

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-19-2016 06:51 AM

For fieldnames that are numbers, you can enclose them in single-quotes '200'. So, in your foreach, you would do like this '<<FIELD>>'

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...