Re: How to find the the error rate that does not h...

hongbo_miao · ‎09-18-2020

I have some logs like these

{
logType: 'Incoming Request',
url: '/hello'
timestamp: '2020-09-18T17:53:56.516Z'
}

{
logType: 'Outgoing Response',
url: '/hello'
timestamp: '2020-09-18T17:53:57.516Z'
}

{
logType: 'Incoming Request',
url: '/bye'
timestamp: '2020-09-19T10:53:56.516Z'
}

I tries to get error rate that does that does not have following response after a given time range.

For example, if the given time range is 5 seconds,

for URL /hello, Incoming Request does have a Outgoing Response, so it is successful.

However, for URL /bye, it is missing Outgoing Response like this case (or does not have the following Outgoing Response in 5 seconds).

So I want list a table like

url	totalRequests	errRate
/hello	1	0
/bye	1	100%

Any guide would be helpful! Thanks

thambisetty · ‎09-18-2020

Do you always get one request and one response or there could be multiple requests and multiple responses.

for example: requestA , requestB , responseA , responseB

or

requestA, responseA, requestB, responseB

trying to understand the sequence to answer your question better.

————————————
If this helps, give a like below.

ITWhisperer · ‎09-18-2020

Have you indexed these logs? Have you extracted any fields e.g. timestamp, url, log type? Total requests is then the count of Incoming Requests. Error count is then Total requests - count of outgoing response.

| stats count(incoming) as incoming, count(outgoing) as outgoing by url, _time
| eval failure=incoming-outgoing
| eval errorrate=outgoing / incoming

hongbo_miao · ‎09-18-2020

Thanks @ITWhisperer I do have index.

index="my_index"
| stats count as total, count(eval(logType="Incoming Request")) as incoming, count(eval(logType="Outgoing Response")) as outgoing by url
| eval failure = incoming - outgoing
| eval errorrate = failure / total
| table url, total, incoming, outgoing, errorrate
| sort -errorrate

I came up with this, however, this not consider "give time range" yet, but I got the idea.

My incoming and outgoing columns in the table are 0, will further dig in and report back.

ITWhisperer · ‎09-19-2020

With the calculation you have shown, if you have 20 incoming and 15 outgoing, your total will be 35, your failures will be 5, your error rate will be 1/7 when it should be 1/4.

That doesn't explain why you are get zero counts. Can you check that the logType is what you think it is?

hongbo_miao · ‎09-24-2020

Oh for the count is 0 issue, I replied at https://community.splunk.com/t5/Splunk-Search/Always-got-zero-for-count/m-p/521339#M146908

Really appreciate for the help!

I will back to this question once I have a final solution later.

How to find the the error rate that does not have following response after a given time range?

table

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?