Splunk Search

I want to find the percentage of success rate over the total amount events need help

OgoNARA
Explorer

Hi,

 

So, I got an issue where I have a log and the log has a field called ERROR_MESSAGES for each event that ends in an error. The other events that have a NULL value under ERROR_MESSAGES are successful events. So, I'm trying to get a percentage of the successful events over the total events. Ths is the query I built but when I run the search success rate comes back with no percentage value and I know there's 338/3190 successful events. Any help would go along way I've been struggling I feel like my SPL is getting better but man this one has me scratching my head.

| inputlookup fm4143_3d.csv
| stats count(FLOW_ID) as total
| appendpipe
[| inputlookup fm4143_3d.csv
| where isnull(ERROR_MESSAGE)
| stats count as success]
| eval success_rate = ((success/total)*100)
| fields success_rate

 

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| inputlookup fm4143_3d.csv
| stats count(FLOW_ID) as total count(ERROR_MESSAGE) as fail
| eval success = total - fail
| eval success_rate = 100 * success/total
| fields success_rate

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| inputlookup fm4143_3d.csv
| stats count(FLOW_ID) as total count(ERROR_MESSAGE) as fail
| eval success = total - fail
| eval success_rate = 100 * success/total
| fields success_rate

OgoNARA
Explorer

Thanks, it worked! All I have to do is convert it to a percentage and we're all good to go. I'll pass along the karma.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...