Splunk Search

How to generate a timechart search for a running percentage?

ajobling1964
New Member

I have an SLA that states for a 12 month window the average availability must be > 95%. This can be calculated for today in a straightforward manner e.g. sucessful pings / total pings for the last 365 days and this gives the current performance against sla. However I have been request to track this over time i.e.. what was the overall performance (year to date) on each day up until the current date. Can this be done in Splunk?

0 Karma
1 Solution

cmerriman
Super Champion

if i'm understanding, yes.

so your time range would be earliest=-366d@d latest=@d and that would get you 365 days ago from yesterday through yesterday.

if you need to calculate the daily availability and the overall, it would be something like this:

|timechart span=1d sum(successfulPings) as successfulPings sum(totalPings) as totalPings
|eventstats sum(successfulPings) as successfulPings365 sum(totalPings) as totalPings365
|eval dailyAvailability=round(successfulPings/totalPings*100,2)
|eval Rolling365Availability=round(successfulPings365/totalPings365*100,2)

does that work/make sense?

View solution in original post

0 Karma

cmerriman
Super Champion

if i'm understanding, yes.

so your time range would be earliest=-366d@d latest=@d and that would get you 365 days ago from yesterday through yesterday.

if you need to calculate the daily availability and the overall, it would be something like this:

|timechart span=1d sum(successfulPings) as successfulPings sum(totalPings) as totalPings
|eventstats sum(successfulPings) as successfulPings365 sum(totalPings) as totalPings365
|eval dailyAvailability=round(successfulPings/totalPings*100,2)
|eval Rolling365Availability=round(successfulPings365/totalPings365*100,2)

does that work/make sense?

0 Karma

ajobling1964
New Member

Thank you for your response.

I am still struggling to get the output I require. I need to know on a given day in the year, what was the average availability up until that point in the year; Idealy I would want to plot this in a chart.

0 Karma

cmerriman
Super Champion

oh i'm sorry, i misunderstood then.

 |timechart span=1d sum(successfulPings) as successfulPings sum(totalPings) as totalPings
 |streamstats global=t current=t sum(successfulPings) as successfulPingsTD sum(totalPings) as totalPingsTD
 |eval RollingToDateAvailability=round(successfulPingsTD/totalPingsTD*100,2)

try something like this. the streamstats should add in a rolling sum for each day, and the eval should add the percentage.

0 Karma

ajobling1964
New Member

Thanks - that seems to be close to what I need - I just need to verify the figures now.

0 Karma

ajobling1964
New Member

I now have it working and the figures are fine. The only problem is the chart doesn't display too well because availability is circa 95% whereas the running total of pings is many thousand. could the results be piped into another chart?

0 Karma

cmerriman
Super Champion

could you do a chart overlay? put the percentage on one axis and the total pings on the other?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...