Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter success/fail status when using data model

amylala
Explorer
‎12-30-2015 03:08 AM

I want to calculate successRate for a combination of hotelId and useId with data model.
It works with following query. But the problem is that the query runs really slowly due to the join command.

Query:
|tstats count as Total from datamodel="xxx" by hotelId, useId | join ... [|tstats count AS Failed from datamodel="xxx" where status=false by hotelId, useId|...

How can I count the Total and Failed with only one "tstats"? It there any command similar with "count(eval(status=false))"?

Tags (2)
0 Karma
Reply

javiergn
SplunkTrust
SplunkTrust
‎12-30-2015 03:17 AM

Have you tried:

| tstats count as Total from datamodel="xxx" by hotelId, useId, status 
| addtotals

[EDITED]

| tstats count as Total from datamodel="xxx" by hotelId, useId, status 
| eval Fail = if(Status="fail", Total, 0)
| stats sum(Total) as TotalCount, sum(Fail) as FailCount by hotelId, useId
| eval SuccessRate = (FailCount/TotalCount)*100
0 Karma
Reply

javiergn
SplunkTrust
SplunkTrust
‎12-30-2015 03:23 AM

You can try addcoltotals too to see which one works better for you

0 Karma
Reply

amylala
Explorer
‎12-30-2015 07:59 PM

Thanks, javiergn.
addtotals and addcoltotals do not work for me.

What i want is:
hotelId useId TotalCount FailCount Success%
12345 111 100 2 98
12345 112 150 100 33.33

But here is what i get with addtotals.

hotelId useId Status Total
12345 111 success 98
12345 111 fail 2
12345 112 success 50
12345 112 fail 100

Do you know how to convert this table to the one i expected?

0 Karma
Reply

javiergn
SplunkTrust
SplunkTrust
‎12-31-2015 01:38 AM

I see, then try the following:

| tstats count as Total from datamodel="xxx" by hotelId, useId, status 
| eval Fail = if(Status="fail", Total, 0)
| stats sum(Total) as TotalCount, sum(Fail) as FailCount by hotelId, useId
| eval SuccessRate = (FailCount/TotalCount)*100
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...