I am trying to write a search that reports the percentage of total users impacted from log data.
// All users will have this line recorded
initializing user blah blah
// success user will have this line recorded
init succeeded
// fail users will have a few variations
init failed A
init failed B
How do I write a search that counts the occurrences of these strings and calculate a percentage from there? Also preferably, I would like to use the userid field to only count each user once.
The report would look something like
Total User | Success Rate | Failure Rates
53334 | 99% | 1%
I tried using the append command to combine the counting of each result, but it is too slow. I was hoping for a more streamline answer. Thank you very much
Hi
This will help
index=_* status=*|stats count(user) as Total_user|appendcols[search index=_* status=success|stats count(user) as success_user]|appendcols[search index=_* status=failure|stats count(user) as fail_user]|eval successRate=((success_user/Total_user)*100)."%", failureRate=((fail_user/Total_user)*100)."%"|table Total_user successRate failureRate
Look at the result
your_base_search |stats count AS "T",count(eval(Type=="ERROR")) AS Failure|eval pF=round((Failure/T)*100), "Success Rate"=100-pF|table T,"Success Rate",pF|rename pF as "Failure Rates", T as "Total User"
Hi
This will help
index=_* status=*|stats count(user) as Total_user|appendcols[search index=_* status=success|stats count(user) as success_user]|appendcols[search index=_* status=failure|stats count(user) as fail_user]|eval successRate=((success_user/Total_user)*100)."%", failureRate=((fail_user/Total_user)*100)."%"|table Total_user successRate failureRate
Look at the result
Good Thanks
In the absence of real sample logs, something like this should get you close:
yourSearch
| stats count(eval(match(Type, "ERROR"))) AS f, count as t
| eval s = t-f, percF = (f/t)*100, percS=100-percF
| rename t as Total, percF as FailureRate, percS as SuccessRate
| table Total, FailureRate, SuccessRate
Do you have the status (failed/succeeded) available as a field? It's tricky to help without knowing what you have to work with. If you have a field, it will be pretty simple to stats count successes and failures, and calculate the totals and percentages from those two values.
yoursearch |stats count AS "Total",count(eval(Type=="ERROR")) AS Failure|eval Faliurerate=(Failure/Total)*100|eval successrate=100-Faliurerate|table Total,successrate,Failurerate
yeah I do have a field called Type=ERROR when it is a failure.