Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find the the error rate that does not have following response after a given time range?

hongbo_miao
Path Finder
‎09-18-2020 02:12 PM

I have some logs like these

 

{
logType: 'Incoming Request',
url: '/hello'
timestamp: '2020-09-18T17:53:56.516Z'
}

{
logType: 'Outgoing Response',
url: '/hello'
timestamp: '2020-09-18T17:53:57.516Z'
}

{
logType: 'Incoming Request',
url: '/bye'
timestamp: '2020-09-19T10:53:56.516Z'
}

 

I tries to get error rate that does that does not have following response after a given time range.

For example, if the given time range is 5 seconds,

for URL /hello, Incoming Request does have a Outgoing Response, so it is successful.

However, for URL /bye, it is missing Outgoing Response like this case (or does not have the following Outgoing Response in 5 seconds).

So I want list a table like

urltotalRequestserrRate
/hello10
/bye1100%

 

Any guide would be helpful! Thanks

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-18-2020 09:51 PM

Do you always get one request and one response or there could be multiple requests and multiple responses.

for example: requestA , requestB , responseA , responseB

or

requestA, responseA, requestB, responseB

trying to understand the sequence to answer your question better.

————————————
If this helps, give a like below.
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-18-2020 02:29 PM

Have you indexed these logs? Have you extracted any fields e.g. timestamp, url, log type? Total requests is then the count of Incoming Requests. Error count is then Total requests - count of outgoing response.

| stats count(incoming) as incoming, count(outgoing) as outgoing by url, _time
| eval failure=incoming-outgoing
| eval errorrate=outgoing / incoming
0 Karma
Reply

hongbo_miao
Path Finder
‎09-18-2020 02:58 PM

Thanks @ITWhisperer I do have index.

 

index="my_index"
| stats count as total, count(eval(logType="Incoming Request")) as incoming, count(eval(logType="Outgoing Response")) as outgoing by url
| eval failure = incoming - outgoing
| eval errorrate = failure / total
| table url, total, incoming, outgoing, errorrate
| sort -errorrate

 

I came up with this, however, this not consider "give time range" yet, but I got the idea.

My incoming and outgoing columns in the table are 0, will further dig in and report back.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2020 02:16 AM

With the calculation you have shown, if you have 20 incoming and 15 outgoing, your total will be 35, your failures will be 5, your error rate will be 1/7 when it should be 1/4.

That doesn't explain why you are get zero counts. Can you check that the logType is what you think it is?

0 Karma
Reply

hongbo_miao
Path Finder
‎09-24-2020 10:39 AM

Oh for the count is 0 issue, I replied at https://community.splunk.com/t5/Splunk-Search/Always-got-zero-for-count/m-p/521339#M146908

Really appreciate for the help!

I will back to this question once I have a final solution later.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...