Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search the percentage of occurrences of certain values in a field?

ppaveld
Engager
‎08-14-2015 08:51 AM

Hi,

I have a table like this:

    userID      is_successful        version
    userA            true              1.1
    userA            true              1.3
    userB            true              1.3
    userB            true              1.1
    userC            true              1.1
    userC            false             1.1

My application sends data to Splunk with userID and whether a particular event was a success or not.

I'd like to see the % of distinct users for which that event has failed for every version of the application.

Thanks in advance.

Tags (2)
Reply

maciep
Champion
‎08-14-2015 10:45 AM

I feel like there's a much better way to do this, but this is what popped into my head. Get a total count of the distinct users. Then filter results to only those that failed. Then do another distinct count of those users based on the version. Then do the percentage match - distinct failed out of distinct total...

... | eventstats dc(userID) num_users | where is_successful=false | stats dc(userID) as num_failed_users by version | eval percent_failed_users = num_failed_users/num_users
0 Karma
Reply

ppaveld
Engager
‎08-17-2015 03:17 AM

Can't get it to work, I'm not sure whether eventstats should be used here?
Forgetting about version num this is what I can get right now:
... | stats dc(userId) as allUsers by is_successful
and result is:
false 800
true 10
Now somehow I'd need to use that result and get the percentage of "true" instances.

0 Karma
Reply

maciep
Champion
‎08-18-2015 08:55 AM

ah, I think I lose num_users after the second stats. So maybe this would work too? Or just eventstats both of them?

 ... | eventstats dc(userID) num_users | where is_successful=false | stats dc(userID) as num_failed_users max(num_users) as num_users by version | eval percent_failed_users = num_failed_users/num_users
0 Karma
Reply

maciep
Champion
‎08-17-2015 04:12 AM

I thought when you said you wanted percent of users, that meant you needed a distinct count of all users as well (to get the percentage). That's why I was using eventstats first...

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...