Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search so the eval function to work...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mtrochym
Observer
01-05-2017
01:25 PM
I am looking to find the errorpercentage of ERROR_CODES vs the number of "ACTIVITY="logins" per division (we have 4 of them) in a timechart. Below is my current search, which works well for only one division. You will notice that my count(eval is excluding two specific errorcodes.)
index=something ERROR_CODE="*" ACTIVITY="*" division=NY
|timechart count(eval(ERROR_CODE!="N/A" AND ERROR_CODE!="900")) as EC , count(eval(ACTIVITY="logins")) as Search
| eval ErrorPercent= round(((EC)/Search)*100) |fields - Search - EC
This works great to show me the "ErrorPercent" for one division but when I try adding 'by division' into my timechart (like this)
|timechart count(eval(ERROR_CODE!="N/A" AND ERROR_CODE!="900")) as EC , count(eval(ACTIVITY="logins")) as Search by division
I only end up with fields "EC: division" & "Search: division" per division. The search doesn't seem to go further and show me the "ErrorPercent" field per division.
Any help would be appreciated.
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-05-2017
02:18 PM
Give this a try
index=something ERROR_CODE="*" ACTIVITY="*" division=*
|timechart count(eval(ERROR_CODE!="N/A" AND ERROR_CODE!="900")) as EC , count(eval(ACTIVITY="logins")) as Search by division
| foreach EC* [eval "ErrorPercent<<MATCHSTR>>"= round((('<<FIELD>>')/'Search<<MATCHSTR>>')*100) ] |fields - Search* - EC*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-05-2017
02:18 PM
Give this a try
index=something ERROR_CODE="*" ACTIVITY="*" division=*
|timechart count(eval(ERROR_CODE!="N/A" AND ERROR_CODE!="900")) as EC , count(eval(ACTIVITY="logins")) as Search by division
| foreach EC* [eval "ErrorPercent<<MATCHSTR>>"= round((('<<FIELD>>')/'Search<<MATCHSTR>>')*100) ] |fields - Search* - EC*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mtrochym
Observer
01-06-2017
10:42 AM
That worked! Thank you so much!!
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
