Splunk Search

How to find the the error rate that does not have following response after a given time range?

hongbo_miao
Path Finder

I have some logs like these

 

{
logType: 'Incoming Request',
url: '/hello'
timestamp: '2020-09-18T17:53:56.516Z'
}

{
logType: 'Outgoing Response',
url: '/hello'
timestamp: '2020-09-18T17:53:57.516Z'
}

{
logType: 'Incoming Request',
url: '/bye'
timestamp: '2020-09-19T10:53:56.516Z'
}

 

I tries to get error rate that does that does not have following response after a given time range.

For example, if the given time range is 5 seconds,

for URL /hello, Incoming Request does have a Outgoing Response, so it is successful.

However, for URL /bye, it is missing Outgoing Response like this case (or does not have the following Outgoing Response in 5 seconds).

So I want list a table like

urltotalRequestserrRate
/hello10
/bye1100%

 

Any guide would be helpful! Thanks

Labels (1)
0 Karma

thambisetty
SplunkTrust
SplunkTrust

Do you always get one request and one response or there could be multiple requests and multiple responses.

for example: requestA , requestB , responseA , responseB

or

requestA, responseA, requestB, responseB

trying to understand the sequence to answer your question better.

————————————
If this helps, give a like below.
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you indexed these logs? Have you extracted any fields e.g. timestamp, url, log type? Total requests is then the count of Incoming Requests. Error count is then Total requests - count of outgoing response.

| stats count(incoming) as incoming, count(outgoing) as outgoing by url, _time
| eval failure=incoming-outgoing
| eval errorrate=outgoing / incoming
0 Karma

hongbo_miao
Path Finder

Thanks @ITWhisperer I do have index.

 

index="my_index"
| stats count as total, count(eval(logType="Incoming Request")) as incoming, count(eval(logType="Outgoing Response")) as outgoing by url
| eval failure = incoming - outgoing
| eval errorrate = failure / total
| table url, total, incoming, outgoing, errorrate
| sort -errorrate

 

I came up with this, however, this not consider "give time range" yet, but I got the idea.

My incoming and outgoing columns in the table are 0, will further dig in and report back.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

With the calculation you have shown, if you have 20 incoming and 15 outgoing, your total will be 35, your failures will be 5, your error rate will be 1/7 when it should be 1/4.

That doesn't explain why you are get zero counts. Can you check that the logType is what you think it is?

0 Karma

hongbo_miao
Path Finder

Oh for the count is 0 issue, I replied at https://community.splunk.com/t5/Splunk-Search/Always-got-zero-for-count/m-p/521339#M146908

Really appreciate for the help!

I will back to this question once I have a final solution later.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...