index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL"
| dedup pnr
| bucket _time span=1d
| stats count(eval(description="POSTULATION_SUCCESS")) as successes count(eval(description="POSTULATION_FAIL")) as failures by _time
| eval total=failures+successes
| eval ratio=successes/total
| fields - total successes failures
I get certain results when I add dedup pnr
and certain results without it.
I'm interested in having them both on the same chart.
What would be a good approach for this?
EDIT: To make my point clearer
This
index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL"
| dedup pnr
| bucket _time span=1d
| stats count(eval(description="POSTULATION_SUCCESS")) as successes count(eval(description="POSTULATION_FAIL")) as failures by _time
| eval total=failures+successes
| eval ratio=successes/total
| fields - total successes failures
produces a chart like this:
And this:
index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL"
| bucket _time span=1d
| stats count(eval(description="POSTULATION_SUCCESS")) as successes count(eval(description="POSTULATION_FAIL")) as failures by _time
| eval total=failures+successes
| eval ratio=successes/total
| fields - total successes failures
Note that the dedup is gone but the rest is identical produces this:
I need to put this to lines in the same chart.
Try this
index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" | streamstats current=t count AS _serial by pnr | bucket _time span=1d | stats count(eval(description="POSTULATION_SUCCESS")) as successes count(eval(description="POSTULATION_FAIL")) as failures count(eval(description="POSTULATION_SUCCESS" AND _serial=1)) as last_successes count(eval(description="POSTULATION_FAIL" AND _serial=1)) as last_failures by _time | eval total=failures+successes | eval ratio=successes/total | eval last_total=last_failures+last_successes | eval last_ratio=last_successes/last_total | fields - *total *successes *failures
Try this
index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" | streamstats current=t count AS _serial by pnr | bucket _time span=1d | stats count(eval(description="POSTULATION_SUCCESS")) as successes count(eval(description="POSTULATION_FAIL")) as failures count(eval(description="POSTULATION_SUCCESS" AND _serial=1)) as last_successes count(eval(description="POSTULATION_FAIL" AND _serial=1)) as last_failures by _time | eval total=failures+successes | eval ratio=successes/total | eval last_total=last_failures+last_successes | eval last_ratio=last_successes/last_total | fields - *total *successes *failures
I am not exactly sure what you're doing there cause I'm pretty new to splunk, but it doesn't seem it is what I was looking for, I probably explained myself incorrectly.
I have updated my question to be more clear, I basically need to have ratio 1 that does not have deduplication by pnr, and have ratio 2 which has the deduplcation in the same chart, I think the update will make it much clearer.
I had a typo in my answer which I have fixed. Yes, my answer should do exactly what you are saying. Try it again.
Also, shouldn't it be comma separated? I made it so and seems to work just fine, is there a difference?
No difference (all commas are stripped).
This was exactly what I was after. Thanks a lot! There's only a slight problem with the fields (which I already solved but am curios about).
It seems that *successes doesn't get rid of the successes filed for some weird reason.