Solved: How to get a percentage into stats results?

dbcase · ‎12-01-2016

Hi,

I have the below query that works just fine. The thing that I want to add is a percentage (Errors/Success*100) but no matter what I try the column just shows up blank

Here is the original working query

host=betamax-relay* image.jpg|rex "HTTP\S+\s(?<status>\d+)"|eval agent = if(match(_raw,"iPad"),"iPad", if(match(_raw, "iPhone"),"iPhone", if(match(_raw, "Android"),"Android", if(match(_raw, "Windows NT"),"Windows NT",if(match(_raw, "HCM-R1"),"HCM-R1", if(match(_raw, "Macintosh"),"Macintosh",if(match(_raw, "Linux"),"Linux",if(match(_raw,"Apache-HttpClient"), "Apache-HttpClient","OTHER"))))))))|rex "(Mozilla|Dalvik)\S+\s\((?<os>[^)]+)"|eventstats count as grandtotal |eventstats count as ptotal by agent |stats sparkline(count,1h) as Trend count(eval(status=200)) as Success count(eval(status>=400 AND status<=599)) as Errors  by agent |rename agent as "User Agent - Click for Detail" count as Count

I've tried this but no luck... What am I missing??

host=betamax-relay* image.jpg|rex "HTTP\S+\s(?<status>\d+)"|eval agent = if(match(_raw,"iPad"),"iPad", if(match(_raw, "iPhone"),"iPhone", if(match(_raw, "Android"),"Android", if(match(_raw, "Windows NT"),"Windows NT",if(match(_raw, "HCM-R1"),"HCM-R1", if(match(_raw, "Macintosh"),"Macintosh",if(match(_raw, "Linux"),"Linux",if(match(_raw,"Apache-HttpClient"), "Apache-HttpClient","OTHER"))))))))|rex "(Mozilla|Dalvik)\S+\s\((?<os>[^)]+)"|eventstats count as grandtotal |eventstats count as ptotal by agent |stats sparkline(count,1h) as Trend count(eval(status=200)) as Success count(eval(status>=400 AND status<=599)) as Errors  values(eval(round(Errors/Success*100,2))) as Percentage by agent |rename agent as "User Agent - Click for Detail" count as Count

dbcase · ‎12-01-2016

Found it! Looks like post processing was the answer

host=betamax-relay* image.jpg|rex "HTTP\S+\s(?<status>\d+)"|eval agent = if(match(_raw,"iPad"),"iPad", if(match(_raw, "iPhone"),"iPhone", if(match(_raw, "Android"),"Android", if(match(_raw, "Windows NT"),"Windows NT",if(match(_raw, "HCM-R1"),"HCM-R1", if(match(_raw, "Macintosh"),"Macintosh",if(match(_raw, "Linux"),"Linux",if(match(_raw,"Apache-HttpClient"), "Apache-HttpClient","OTHER"))))))))|rex "(Mozilla|Dalvik)\S+\s\((?<os>[^)]+)"|eventstats count as grandtotal |eventstats count as ptotal by agent |stats sparkline(count,1h) as Trend count(eval(status=200)) as Success count(eval(status>=400 AND status<=599)) as Errors  by agent |eval Percentage=round(Errors/Success*100,2)|sort -Percentage|rename agent as "User Agent - Click for Detail" count as Count

View solution in original post

dbcase · ‎12-01-2016

Found it! Looks like post processing was the answer

host=betamax-relay* image.jpg|rex "HTTP\S+\s(?<status>\d+)"|eval agent = if(match(_raw,"iPad"),"iPad", if(match(_raw, "iPhone"),"iPhone", if(match(_raw, "Android"),"Android", if(match(_raw, "Windows NT"),"Windows NT",if(match(_raw, "HCM-R1"),"HCM-R1", if(match(_raw, "Macintosh"),"Macintosh",if(match(_raw, "Linux"),"Linux",if(match(_raw,"Apache-HttpClient"), "Apache-HttpClient","OTHER"))))))))|rex "(Mozilla|Dalvik)\S+\s\((?<os>[^)]+)"|eventstats count as grandtotal |eventstats count as ptotal by agent |stats sparkline(count,1h) as Trend count(eval(status=200)) as Success count(eval(status>=400 AND status<=599)) as Errors  by agent |eval Percentage=round(Errors/Success*100,2)|sort -Percentage|rename agent as "User Agent - Click for Detail" count as Count

How to get a percentage into stats results?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor