Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to set missing data values to zero?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xvxt006
Contributor
08-05-2014
09:14 AM
Hi,
I want to track good requests (http=200) vs bad requests (http>399)and i have used the below query. But sometimes requests don't have bad requests then the column value is empty. So my formula is not working as it cannot copy empty value. So I am not getting an percentages. is this the right way to do this? i want track good and bad requests by uri as shown below.
status=200 | rex field=uri_path "/(?
In this below example you can see only failures has data.
uri_path GoodRequests GoodSessions FailedSessions FailureSessionsPerc Failures FailuresPerc GoodRequestsPerc GoodSessionsPerc TotalRequests TotalSessions
rest 3 8
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-05-2014
10:10 AM
You can use fillnull command before "| eval TotalRequests=" (after join) as @Patrick suggested.
You can also try this alternative approach (no joins, should perform better as well).
status=200 OR status>399 | rex field=uri_path "/(?<uri_path>(?:[^/]*))" | eval requestType=if(status=200,"Good","Bad")
| chart count as requests dc(side) as sessions over uri_path by requestType
| rename "requests: Good" as GoodRequests ,"requests: Bad" as Failures , "sessions: Good" as GoodSessions , "sessions: Bad" as FailedSessions
| eval TotalRequests= (GoodRequests+Failures)| eval TotalSessions=(GoodSessions+FailedSessions)
| eval GoodRequestsPerc = round((GoodRequests/TotalRequests)*100,2) | eval GoodSessionsPerc = round((GoodSessions /TotalSessions)*100,2)
| eval FailuresPerc = round((Failures/TotalRequests)*100,2) | eval FailureSessionsPerc = round((FailedSessions/TotalSessions)*100,2) | sort - Failures
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xvxt006
Contributor
08-05-2014
12:17 PM
I did not know about this. This is useful
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-05-2014
10:10 AM
You can use fillnull command before "| eval TotalRequests=" (after join) as @Patrick suggested.
You can also try this alternative approach (no joins, should perform better as well).
status=200 OR status>399 | rex field=uri_path "/(?<uri_path>(?:[^/]*))" | eval requestType=if(status=200,"Good","Bad")
| chart count as requests dc(side) as sessions over uri_path by requestType
| rename "requests: Good" as GoodRequests ,"requests: Bad" as Failures , "sessions: Good" as GoodSessions , "sessions: Bad" as FailedSessions
| eval TotalRequests= (GoodRequests+Failures)| eval TotalSessions=(GoodSessions+FailedSessions)
| eval GoodRequestsPerc = round((GoodRequests/TotalRequests)*100,2) | eval GoodSessionsPerc = round((GoodSessions /TotalSessions)*100,2)
| eval FailuresPerc = round((Failures/TotalRequests)*100,2) | eval FailureSessionsPerc = round((FailedSessions/TotalSessions)*100,2) | sort - Failures
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xvxt006
Contributor
08-12-2014
08:19 PM
Actually i am able to see events in verbose mode. Let me know if there is any other way to view events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xvxt006
Contributor
08-12-2014
07:54 PM
Hi, once i get the stats table, if i drill down, i am not getting intended results. i have tried drill down on row and cell. i guess this is the limitation of how it adds the row at the end of the query and when i drill down 2nd time it loses the context. any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xvxt006
Contributor
08-05-2014
12:16 PM
Thanks. This is more efficient.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppablo
Retired
08-05-2014
10:07 AM
Hi @xvxt006
I'm very much a search command apprentice in training so not sure if this will be super helpful, but have you tried the fillnull command? http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Fillnull
Get Updates on the Splunk Community!
Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco
The Defining Technology Movement of Our Lifetime
The advent of agentic AI is arguably the defining technology ...
Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data
In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...
Your summer travels continue with new course releases
Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
