Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter success/fail status when using data model

amylala
Explorer
‎12-30-2015 03:08 AM

I want to calculate successRate for a combination of hotelId and useId with data model.
It works with following query. But the problem is that the query runs really slowly due to the join command.

Query:
|tstats count as Total from datamodel="xxx" by hotelId, useId | join ... [|tstats count AS Failed from datamodel="xxx" where status=false by hotelId, useId|...

How can I count the Total and Failed with only one "tstats"? It there any command similar with "count(eval(status=false))"?

Tags (2)
0 Karma
Reply

javiergn
Super Champion
‎12-30-2015 03:17 AM

Have you tried:

| tstats count as Total from datamodel="xxx" by hotelId, useId, status 
| addtotals

[EDITED]

| tstats count as Total from datamodel="xxx" by hotelId, useId, status 
| eval Fail = if(Status="fail", Total, 0)
| stats sum(Total) as TotalCount, sum(Fail) as FailCount by hotelId, useId
| eval SuccessRate = (FailCount/TotalCount)*100
0 Karma
Reply

javiergn
Super Champion
‎12-30-2015 03:23 AM

You can try addcoltotals too to see which one works better for you

0 Karma
Reply

amylala
Explorer
‎12-30-2015 07:59 PM

Thanks, javiergn.
addtotals and addcoltotals do not work for me.

What i want is:
hotelId useId TotalCount FailCount Success%
12345 111 100 2 98
12345 112 150 100 33.33

But here is what i get with addtotals.

hotelId useId Status Total
12345 111 success 98
12345 111 fail 2
12345 112 success 50
12345 112 fail 100

Do you know how to convert this table to the one i expected?

0 Karma
Reply

javiergn
Super Champion
‎12-31-2015 01:38 AM

I see, then try the following:

| tstats count as Total from datamodel="xxx" by hotelId, useId, status 
| eval Fail = if(Status="fail", Total, 0)
| stats sum(Total) as TotalCount, sum(Fail) as FailCount by hotelId, useId
| eval SuccessRate = (FailCount/TotalCount)*100
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...