Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create report on failure rates using count of errors per session and total number of sessions?

sjnorman
Explorer
‎08-19-2014 09:33 AM

We'd like to be able to report on failure rates within our application. The metric we will use is errors per session / total # of sessions.

We can identify when a user logs in by searching for a particular search phrase (i.e. "user X logged in") and when an error occurs ("error X occurred while processing the request for user X").

So, total # of sessions = number of log statements that contain the text "user X logged in"
errors per session = number of log statements that contain the text "error X occurred while processing the request for user X"

I know that I can get a count for each of the two statement types, but how do I feed that into a single report?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

strive
Influencer
‎08-19-2014 10:39 AM

Assuming that you have written regexes to extract both the texts and the field names that you have given are: UserLogin, Error

Then you can write search like this

Some search terms... | stats count(UserLogin) as TotalSessions, count(Error) as TotalErrors | eval FailureRate = TotalErrors/TotalSessions

View solution in original post

Reply
Solved! Jump to solution

sjnorman
Explorer
‎08-20-2014 05:53 AM

I used your suggestion below but matched on raw search terms.

stats count(eval(match(_raw,"login search terms"))) as TotalSessions, count(eval(match(_raw,"error search terms"))) as TotalErrors | eval FailureRate = TotalErrors/TotalSessions

0 Karma
Reply
Solved! Jump to solution
Solution

strive
Influencer
‎08-19-2014 10:39 AM

Assuming that you have written regexes to extract both the texts and the field names that you have given are: UserLogin, Error

Then you can write search like this

Some search terms... | stats count(UserLogin) as TotalSessions, count(Error) as TotalErrors | eval FailureRate = TotalErrors/TotalSessions
Reply
Solved! Jump to solution

sjnorman
Explorer
‎08-20-2014 05:07 AM

Wouldn't the login and error statements be considered event types, and within those types, fields would be things such as user ID, error type, etc.?

i.e.
user X logged in = Login event type
X = user_id field

Maybe I'm misunderstanding what Splunk considers a field?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...