Splunk Search

How to search the percentage of occurrences of certain values in a field?

ppaveld
Engager

Hi,

I have a table like this:

    userID      is_successful        version
    userA            true              1.1
    userA            true              1.3
    userB            true              1.3
    userB            true              1.1
    userC            true              1.1
    userC            false             1.1

My application sends data to Splunk with userID and whether a particular event was a success or not.

I'd like to see the % of distinct users for which that event has failed for every version of the application.

Thanks in advance.

Tags (2)

maciep
Champion

I feel like there's a much better way to do this, but this is what popped into my head. Get a total count of the distinct users. Then filter results to only those that failed. Then do another distinct count of those users based on the version. Then do the percentage match - distinct failed out of distinct total...

... | eventstats dc(userID) num_users | where is_successful=false | stats dc(userID) as num_failed_users by version | eval percent_failed_users = num_failed_users/num_users
0 Karma

ppaveld
Engager

Can't get it to work, I'm not sure whether eventstats should be used here?
Forgetting about version num this is what I can get right now:
... | stats dc(userId) as allUsers by is_successful
and result is:
false 800
true 10
Now somehow I'd need to use that result and get the percentage of "true" instances.

0 Karma

maciep
Champion

ah, I think I lose num_users after the second stats. So maybe this would work too? Or just eventstats both of them?

 ... | eventstats dc(userID) num_users | where is_successful=false | stats dc(userID) as num_failed_users max(num_users) as num_users by version | eval percent_failed_users = num_failed_users/num_users
0 Karma

maciep
Champion

I thought when you said you wanted percent of users, that meant you needed a distinct count of all users as well (to get the percentage). That's why I was using eventstats first...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...