Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to timechart percent values generated by top command?

beetlegeuse
Path Finder
‎05-17-2023 01:20 PM

I'm using a pretty straightforward query to see how many unique HTTP status codes are thrown from an IIS server during a given time period:

 

index=foo host=bar sourcetype=iis85
| top sc_status

 

The results are as follows:

 

sc_status	count	         percent
401	        95115	        36.975773
302	        91840	        35.702623
200	        70141	        27.267179
404	          140	         0.054425

 

Adding the percentage values for each of the status codes together equals 100%.

I'd like to run the search across a longer timeframe (24 hours) and visualize on a line chart the percentages for each status code using a five minute aggregation. How can I accomplish this?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-17-2023 01:57 PM

It sounds like a job for the timechart command.  Here's one approach, but there may be others.

 

index=foo host=bar sourcetype=iis85
```Count events by status over 5-minute aggregations, taking only the top 10 ```
| timechart span=5m limit=10 useother=0 usenull=0 count by sc_status
```Get the total count for each time period ```
| addtotals label="Total" labelfield=Total
```Replace each result with a percentage of Total```
| foreach * [eval <<FIELD>> = round('<<FIELD>>'*100/Total, 2)]
```Remove the Total field```
| fields - Total

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-17-2023 01:57 PM

It sounds like a job for the timechart command.  Here's one approach, but there may be others.

 

index=foo host=bar sourcetype=iis85
```Count events by status over 5-minute aggregations, taking only the top 10 ```
| timechart span=5m limit=10 useother=0 usenull=0 count by sc_status
```Get the total count for each time period ```
| addtotals label="Total" labelfield=Total
```Replace each result with a percentage of Total```
| foreach * [eval <<FIELD>> = round('<<FIELD>>'*100/Total, 2)]
```Remove the Total field```
| fields - Total

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

beetlegeuse
Path Finder
‎05-17-2023 03:35 PM

@richgalloway This gets me closer (timechart shows individual status codes...yay!), but adding up the percentage values from each status code for a given five minute period does not equal 100%. And, if I include the "total" field in the output, you'll note that it's consistently showing 100.00 as the value every five minutes:

 

_time	              200	   302     401	   404      Total
2023-05-16 00:00:00	71.94	108.63	144.24	145.32     100.00
2023-05-16 00:05:00	71.94	108.63	144.24	145.32     100.00
2023-05-16 00:10:00	69.69	105.23	139.72	140.77     100.00
2023-05-16 00:15:00	69.93	105.59	140.21	141.26     100.00

 

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-18-2023 06:57 AM

I didn't account for field names that are integers.  I've updated my answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

beetlegeuse
Path Finder
‎05-18-2023 08:50 AM

Those pesky quotation marks...

That did the trick! Thank you for your help!

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...