I need to display priority data for 7 days with the percentage, however am unable to display it in 7 days. My below query works for a days search but doesn't displays for 7 days. Could you please help with fixing the query.
Below is my query.
| multisearch
[ search index=myindex source=mysoruce "* from *" earliest=-7d@d latest=@d
| fields TRN, tomcatget, Queue ]
[ search index=myindex source=mysoruce *sent* earliest=-7d@d latest=@d
| fields TRN, TimeMQPut, Status]
[ search index=myindex source=mysoruce *Priority* earliest=-7d@d latest=@d
| fields TRN,Priority ]
| stats values(*) as * by TRN
| eval PPut=strptime(tomcatput, "%y%m%d %H:%M:%S")
| eval PGet=strptime(tomcatget,"%y%m%d %H:%M:%S")
| eval tomcatGet2tomcatPut=round((PPut-PGet),0)
| fillnull value="No_tomcatPut_Time" tomcatput
| fillnull value="No_tomcatGet_Time" tomcatget
| table TRN, Queue, BackEndID, Status, Priority, tomcatget, tomcatput, tomcatGet2tomcatPut
| eval E2E_5min=if(tomcatGet2tomcatPut<=300,1,0)
| eval E2E_20min=if(tomcatGet2tomcatPut>300 and tomcatGet2tomcatPut<=1200,1,0)
| eval E2E_50min=if(tomcatGet2tomcatPut>1200 and tomcatGet2tomcatPut<=3000,1,0)
| eval E2EGT50min=if(tomcatGet2tomcatPut>3000,1,0)
| eval Total = E2E_5min + E2E_20min + E2E_50min + E2EGT50min
| stats sum(E2E_5min) as sum_5min sum(E2E_20min) as sum_20min sum(E2E_50min) as sum_50min sum(E2EGT50min) as sum_50GTmin sum(Total) as sum_total by Priority
| eval bad = if(Priority="High", sum_20min + sum_50min + sum_50GTmin, if(Priority="Medium", sum_50min + sum_50GTmin, if(Priority="Low", sum_50GTmin, null())))
| eval good = if(Priority="High", sum_5min, if(Priority="Medium", sum_5min + sum_20min, if(Priority="Low", sum_5min+ sum_20min + sum_50min, null())))
| eval per_cal = if(Priority="High", (good / sum_total) * 100, if(Priority="Medium", (good / sum_total) * 100, if(Priority="Low", (good / sum_total) * 100, null())))
| table Priority per_cal
looking to get output in below format.
below are the logs.
source=gettomcat
240628 05:59:41 6677 gettomcat: ===> TRN@q1: abbb-acabca-adste112 [Priority=Medium].
240628 05:59:41 6677 gettomcat: <--- TRN: abbb-acabca-adste112 - S.
source=puttomcat
240628 05:59:58 32296 puttomcat: ---> TRN: abbb-acabca-adste112 - Done.
From the gettomcat source extracted the priority and time, from the puttomcat i have extracted the time, i did a calculation to see the round trip of a request and also percentage of passed request.
Now i need to disable as per the below screenshot. Priority, percentage of each prioirty per day for the last 7 days.
Yes @ITWhisperer, i have extracted all TRN, tomcatget, Queue, TimeMQPut, Status, and Priority.
you're right tomcatput=TimeMQPut, ignore about the status am not using it for the response time calculation.
Splunk query which i shared has response time.
| eval E2E_5min=if(tomcatGet2tomcatPut<=300,1,0)
| eval E2E_20min=if(tomcatGet2tomcatPut>300 and tomcatGet2tomcatPut<=1200,1,0)
| eval E2E_50min=if(tomcatGet2tomcatPut>1200 and tomcatGet2tomcatPut<=3000,1,0)
| eval E2EGT50min=if(tomcatGet2tomcatPut>3000,1,0)
| eval Total = E2E_5min + E2E_20min + E2E_50min + E2EGT50min
| stats sum(E2E_5min) as sum_5min sum(E2E_20min) as sum_20min sum(E2E_50min) as sum_50min sum(E2EGT50min) as sum_50GTmin sum(Total) as sum_total by Priority
This will give below output.
Now am creating a field called good and adding adding a condition.
If priority is High then it should be in sum_5min
if priority is medium then it should be in sum_20min, so adding sum_5min + sum_20min
If priority is High then it should be in sum_50min, so adding sum_5min + sum_20min + sum_50min
| eval good = if(Priority="High", sum_5min, if(Priority="Medium", sum_5min + sum_20min, if(Priority="Low", sum_5min+ sum_20min + sum_50min, null())))
After getting the good field data, now am calculating percentage of success which display in a table format
When i try a timechart it doesnt work as expected.
timechart span=1d avg(per_cal) by Priority
Gives me output no results found.
