Splunk Search

How to get a percentage out of 2 queries?

kvanwagoner
New Member

I've got 2 search queries that are working for me (Thanks to @harshpatel)

Query #1 returns the average # of successes over the last 7 Days.

"A PUT was made to OpenAAA API - Status: OK" | spath AppID | search AppID=200296 Environment=prod | timechart count by Environment | bin span=7d _time | stats avg(prod)

Query #2 returns the average # of failures over the last 7 Days.

"A PUT was made to OpenAAA API - Status: 1" | spath AppID | search AppID=200296 Environment=prod | timechart count by Environment | bin span=7d _time | stats avg(prod)

How can I find out the percentage of failures based on these 2 queries? AVG # of Failures divided by AVG # of Successes

Example. 100 success and 50 failures .... Percentage of Failures would be 50%)

Any help will be greatly appreciated!

Thanks

0 Karma
1 Solution

Vijeta
Influencer

@kvanwagoner Try this -

 "A PUT was made to OpenAAA API - Status: *" | rex "Status: (?<status>\w+)" | spath AppID 
 | search AppID=200296 Environment=prod | timechart count(eval(status="OK")) as success, count(eval(status="1")) as failures| bin span=7d _time 
 | stats avg(success) as S, avg(failures) as F| eval pct=( F * 100 ) / S

View solution in original post

0 Karma

Vijeta
Influencer

@kvanwagoner Try this -

 "A PUT was made to OpenAAA API - Status: *" | rex "Status: (?<status>\w+)" | spath AppID 
 | search AppID=200296 Environment=prod | timechart count(eval(status="OK")) as success, count(eval(status="1")) as failures| bin span=7d _time 
 | stats avg(success) as S, avg(failures) as F| eval pct=( F * 100 ) / S

View solution in original post

0 Karma

kvanwagoner
New Member

Thanks @Vijeta . That works great!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try combining the two queries.

"A PUT was made to OpenAAA API - Status: *" | rex "Status: (?<status>\w+)" | spath AppID 
| search AppID=200296 Environment=prod | timechart count by Environment | bin span=7d _time 
| stats count, count(eval(status="OK")) as successes, count(eval(status=1)) as failures | eval pct=(failures*100)/successes
---
If this reply helps you, an upvote would be appreciated.
0 Karma

kvanwagoner
New Member

Thanks @richgalloway
This is returning
count=08
failures=0

successes=0
The two separate queries return 359 success and 7 failures. Which would be around 1.9%

Any ideas?

0 Karma

kvanwagoner
New Member

@harshpatel any ideas on this?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!