Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to timechart percent values generated by top command?

beetlegeuse
Path Finder
‎05-17-2023 01:20 PM

I'm using a pretty straightforward query to see how many unique HTTP status codes are thrown from an IIS server during a given time period:

 

index=foo host=bar sourcetype=iis85
| top sc_status

 

The results are as follows:

 

sc_status	count	         percent
401	        95115	        36.975773
302	        91840	        35.702623
200	        70141	        27.267179
404	          140	         0.054425

 

Adding the percentage values for each of the status codes together equals 100%.

I'd like to run the search across a longer timeframe (24 hours) and visualize on a line chart the percentages for each status code using a five minute aggregation. How can I accomplish this?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-17-2023 01:57 PM

It sounds like a job for the timechart command.  Here's one approach, but there may be others.

 

index=foo host=bar sourcetype=iis85
```Count events by status over 5-minute aggregations, taking only the top 10 ```
| timechart span=5m limit=10 useother=0 usenull=0 count by sc_status
```Get the total count for each time period ```
| addtotals label="Total" labelfield=Total
```Replace each result with a percentage of Total```
| foreach * [eval <<FIELD>> = round('<<FIELD>>'*100/Total, 2)]
```Remove the Total field```
| fields - Total

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-17-2023 01:57 PM

It sounds like a job for the timechart command.  Here's one approach, but there may be others.

 

index=foo host=bar sourcetype=iis85
```Count events by status over 5-minute aggregations, taking only the top 10 ```
| timechart span=5m limit=10 useother=0 usenull=0 count by sc_status
```Get the total count for each time period ```
| addtotals label="Total" labelfield=Total
```Replace each result with a percentage of Total```
| foreach * [eval <<FIELD>> = round('<<FIELD>>'*100/Total, 2)]
```Remove the Total field```
| fields - Total

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

beetlegeuse
Path Finder
‎05-17-2023 03:35 PM

@richgalloway This gets me closer (timechart shows individual status codes...yay!), but adding up the percentage values from each status code for a given five minute period does not equal 100%. And, if I include the "total" field in the output, you'll note that it's consistently showing 100.00 as the value every five minutes:

 

_time	              200	   302     401	   404      Total
2023-05-16 00:00:00	71.94	108.63	144.24	145.32     100.00
2023-05-16 00:05:00	71.94	108.63	144.24	145.32     100.00
2023-05-16 00:10:00	69.69	105.23	139.72	140.77     100.00
2023-05-16 00:15:00	69.93	105.59	140.21	141.26     100.00

 

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-18-2023 06:57 AM

I didn't account for field names that are integers.  I've updated my answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

beetlegeuse
Path Finder
‎05-18-2023 08:50 AM

Those pesky quotation marks...

That did the trick! Thank you for your help!

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...