How to display a timechart that gets the percent o...

elpaisa · ‎05-12-2021

Hi all,

I have server errors and success logs in the data, i want to get the percent of failures out of the total count of requests, this is my initial search:

index=my_index source=my_source (line.data.status = 200) OR ("Sending 500 ("Server Error") response" OR line.data.status = 500)

So lets say, the total number of results is 1000 and the total failures is 100, 10% of failures

richgalloway · ‎05-13-2021

Try this

index=my_index source=my_source (line.data.status = 200) OR ("Sending 500 ("Server Error") response" OR line.data.status = 500)
```Group events by time```
| bin span=1h _time
```Flag error events```
| eval error=case(line.data.status=500, 1, searchmatch("Sending 500 (\"Server Error\") response"), 1, 1==1, 0)
```Count events and errors```
| stats count as total, sum(error) as errors by _time
```Compute the percentage```
| eval pct=(errors*100/total)
| timechart span=1h max(pct) as pct

---
If this reply helps you, Karma would be appreciated.

How to display a timechart that gets the percent of failures having a count of errors and success

count

stats

timechart

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?