Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use each value in a column to determine count of "success", "failure", or "error", then calculate the success percentage?

jshellman
Engager
‎02-16-2016 06:15 PM

I have a search, something like this:

search stuff
    | rex "extract cat"
    | rex "extract field2"
    | rex "extract field3"
    | eval theValue=coalesce(field2, field3)
    | stats count by cat, theValue
    | table count, cat, theValue

So, the output is something like this:

count  | cat   | theValue
55     | BER   | A
 2     | BER   | 302
 1     | BER   | 201
14     | CCG   | 502
 3     | CCG   | null
88     | CCG   | 100

Now, if theValue is A or 100 (or one of a small constant set of values), then it represents a "success" case, if theValue is null it's an error, and any other theValue is an expected "failure" case. So, for each cat value, I want to calculate a percentage of success/failure and show the error count if it exists separately.

So, I want to change the above to: (expressions in {} show the calculation and I want to show the result of that)

cat | success       | errors
BER | {55/(55+2+1)} | 
CCG | {88/(88+14)}  | 3

How might I accomplish this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-16-2016 10:22 PM

Try like this

Updated null value handling

search stuff
| rex "extract cat"
| rex "extract field2"
| rex "extract field3"
| eval theValue=coalesce(field2, field3)
| stats count by cat, theValue
| eval status=case(theValue="A" OR theValue="100" OR thevalue="AnyOtherCondition","success", theValue="null","errors",1=1,"failure")
| chart sum(count) over cat by status
| fillnull value=0 success failure errors
| eval success=round(success/(success+failure+errors),2)
| table cat success error

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-16-2016 10:22 PM

Try like this

Updated null value handling

search stuff
| rex "extract cat"
| rex "extract field2"
| rex "extract field3"
| eval theValue=coalesce(field2, field3)
| stats count by cat, theValue
| eval status=case(theValue="A" OR theValue="100" OR thevalue="AnyOtherCondition","success", theValue="null","errors",1=1,"failure")
| chart sum(count) over cat by status
| fillnull value=0 success failure errors
| eval success=round(success/(success+failure+errors),2)
| table cat success error
Reply
Solved! Jump to solution

jshellman
Engager
‎02-17-2016 07:17 AM

Thanks! That almost did it. Because failures and errors don't always occur, I needed to add 3 lines like

| eval errors=if(isnotnull(errors), errors, 0)

or else the success wouldn't show up. Maybe there's an easier way to do that, but it worked.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-17-2016 07:30 AM

This would work just fine. For reference, these are ways you can handle assigning default value, in the order of my personal preference. 

...| fillnull value="DefaultValue" fieldname1 fieldname2...

...| eval fieldname1=coalesce(fieldname1,"DefaultValue") ...

...| eval fieldname1=if(isnotnull(fieldname1),fieldname1,"DefaultValue").....
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...