Solved: How to modify query to tabulate error codes and pe...

9jamie · ‎09-23-2022

I am trying to create a query that returns a table showing counts of different error codes and percentage of transactions that are failing (error != 0) for each service.

service	0	3100	2000	1200	% Failure
Foo	1000	12	0	0	1.2%
Bar	100	0	3	2	5.0%

My query which returns the above table is:

index=my_index | where error=0 OR error!=0 | chart count by service, error | eval "% Failure" = round(('3100'+'2000'+'1200')/('3100'+'2000'+'1200'+'0'),2)."%"

How can I modify this query so that I don't need to hardcode each error code into the last part of the query, as error codes may vary?

johnhuang · ‎09-23-2022

index=my_index error=*
| chart count by service, error
| addtotals fieldname="event_total"
| eval "% Failure"=round((event_total-'0')/(event_total)*100, 2)."%"

View solution in original post

johnhuang · ‎09-23-2022

index=my_index error=*
| chart count by service, error
| addtotals fieldname="event_total"
| eval "% Failure"=round((event_total-'0')/(event_total)*100, 2)."%"

How to modify query to tabulate error codes and percent failure?

chart

eval

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?