How to display a timechart that gets the percent o...

elpaisa · ‎05-12-2021

Hi all,

I have server errors and success logs in the data, i want to get the percent of failures out of the total count of requests, this is my initial search:

index=my_index source=my_source (line.data.status = 200) OR ("Sending 500 ("Server Error") response" OR line.data.status = 500)

So lets say, the total number of results is 1000 and the total failures is 100, 10% of failures

richgalloway · ‎05-13-2021

Try this

index=my_index source=my_source (line.data.status = 200) OR ("Sending 500 ("Server Error") response" OR line.data.status = 500)
```Group events by time```
| bin span=1h _time
```Flag error events```
| eval error=case(line.data.status=500, 1, searchmatch("Sending 500 (\"Server Error\") response"), 1, 1==1, 0)
```Count events and errors```
| stats count as total, sum(error) as errors by _time
```Compute the percentage```
| eval pct=(errors*100/total)
| timechart span=1h max(pct) as pct

---
If this reply helps you, Karma would be appreciated.

How to display a timechart that gets the percent of failures having a count of errors and success

count

stats

timechart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!