Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to timechart percent values generated by top command?

beetlegeuse
Path Finder
‎05-17-2023 01:20 PM

I'm using a pretty straightforward query to see how many unique HTTP status codes are thrown from an IIS server during a given time period:

 

index=foo host=bar sourcetype=iis85
| top sc_status

 

The results are as follows:

 

sc_status	count	         percent
401	        95115	        36.975773
302	        91840	        35.702623
200	        70141	        27.267179
404	          140	         0.054425

 

Adding the percentage values for each of the status codes together equals 100%.

I'd like to run the search across a longer timeframe (24 hours) and visualize on a line chart the percentages for each status code using a five minute aggregation. How can I accomplish this?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-17-2023 01:57 PM

It sounds like a job for the timechart command.  Here's one approach, but there may be others.

 

index=foo host=bar sourcetype=iis85
```Count events by status over 5-minute aggregations, taking only the top 10 ```
| timechart span=5m limit=10 useother=0 usenull=0 count by sc_status
```Get the total count for each time period ```
| addtotals label="Total" labelfield=Total
```Replace each result with a percentage of Total```
| foreach * [eval <<FIELD>> = round('<<FIELD>>'*100/Total, 2)]
```Remove the Total field```
| fields - Total

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-17-2023 01:57 PM

It sounds like a job for the timechart command.  Here's one approach, but there may be others.

 

index=foo host=bar sourcetype=iis85
```Count events by status over 5-minute aggregations, taking only the top 10 ```
| timechart span=5m limit=10 useother=0 usenull=0 count by sc_status
```Get the total count for each time period ```
| addtotals label="Total" labelfield=Total
```Replace each result with a percentage of Total```
| foreach * [eval <<FIELD>> = round('<<FIELD>>'*100/Total, 2)]
```Remove the Total field```
| fields - Total

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

beetlegeuse
Path Finder
‎05-17-2023 03:35 PM

@richgalloway This gets me closer (timechart shows individual status codes...yay!), but adding up the percentage values from each status code for a given five minute period does not equal 100%. And, if I include the "total" field in the output, you'll note that it's consistently showing 100.00 as the value every five minutes:

 

_time	              200	   302     401	   404      Total
2023-05-16 00:00:00	71.94	108.63	144.24	145.32     100.00
2023-05-16 00:05:00	71.94	108.63	144.24	145.32     100.00
2023-05-16 00:10:00	69.69	105.23	139.72	140.77     100.00
2023-05-16 00:15:00	69.93	105.59	140.21	141.26     100.00

 

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-18-2023 06:57 AM

I didn't account for field names that are integers.  I've updated my answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

beetlegeuse
Path Finder
‎05-18-2023 08:50 AM

Those pesky quotation marks...

That did the trick! Thank you for your help!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...