Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find percentage with selective sum of field values?

vinothkumark
Path Finder
‎01-24-2023 10:51 AM

< query > ... | stats count by return_code fetches me the below output.

vinothkumark_0-1674585802845.png


I have to create an alert where the sum of any return_code value other than 100 and 200 should not cross 20% of the overall value.

Example: from the above image, I will add the count of return_codes (other than 100 and 200 ) which will result as 226. now the count of 100 and 200 is 2924. now the  percentage will come around 7.17 %.
How do I achieve this via query?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-24-2023 10:39 PM

The eventstats should be

| eventstats sum(eval(if(return_code<=200, count, 0))) as OK, sum(eval(if(return_code>200, count, 0))) as KO
| eval pctKO = (KO * 100) / (OK + KO)

however, with your calculations this actually is 3.99%...

| makeresults
| eval x=split("100:254,200:227,404:8,404:3,406:9", ",")
| mvexpand x
| rex field=x "(?<return_code>\d+):(?<count>\d+)"
| table return_code count
| eventstats sum(eval(if(return_code<=200, count, 0))) as OK, sum(eval(if(return_code>200, count, 0))) as KO
| eval pctKO = (KO * 100) / (OK + KO)

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎01-24-2023 01:46 PM

Just a technical comment on the maths...

When you say that ...should not cross 20% of the overall value.

your calculation of 7.7% indicates that failures is compared only against successes (100+200), i.e 226/2924, however, if you want it to be of 'overall value' then the formula would be

226 / (2924 + 226) = 7.17%

and @richgalloway formula would be

| eval pctKO = (KO * 100) / (OK + KO)

 

0 Karma
Reply
Solved! Jump to solution

vinothkumark
Path Finder
‎01-24-2023 10:16 PM

yeah,  right. modified it. thanks
226 / (2924 + 226) = 7.17%

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-24-2023 11:01 AM

From the current results, use eventstats to compute the subtotals by return_code.  Then you can calculate the percentage.

.. | stats count by return_code
| eventstats sum(eval(return_code<=200)) as OK, sum(eval(return_code>200)) as KO
| eval pctKO = (KO * 100) / OK
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

vinothkumark
Path Finder
‎01-24-2023 10:22 PM

Sorry I think I didn't put it in the right way. 
It calculates the return_code like below ( check KO and OK )

vinothkumark_1-1674627569909.png

 

 But I want to calculate the highlighted ones. 
Example: 8+9+3 = 20
254 + 227 = 481
perc = 20*100/(20+481)=3.1% 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-24-2023 10:39 PM

The eventstats should be

| eventstats sum(eval(if(return_code<=200, count, 0))) as OK, sum(eval(if(return_code>200, count, 0))) as KO
| eval pctKO = (KO * 100) / (OK + KO)

however, with your calculations this actually is 3.99%...

| makeresults
| eval x=split("100:254,200:227,404:8,404:3,406:9", ",")
| mvexpand x
| rex field=x "(?<return_code>\d+):(?<count>\d+)"
| table return_code count
| eventstats sum(eval(if(return_code<=200, count, 0))) as OK, sum(eval(if(return_code>200, count, 0))) as KO
| eval pctKO = (KO * 100) / (OK + KO)
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top