Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Looking for a percent of a subset of data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings,
I've got a handful of API URLS, some with HTTP return status of 200, 201, and 500. I'm trying to come up with a search that returns the count of 500's and a percent of 500's for each API URL over the total of all of the responses for just that API URL. Example aggregated data set (out of Apache logs):
/Account (HTTP 200): 50
/Account (HTTP 201): 60
/Account (HTTP 500): 14
Total: 124
/User (HTTP 200): 75
/User (HTTP 201): 34
/User (HTTP 500): 3
Total: 112
What I'm looking to get is something like:
API_Status Count Percent
/Account_500 14 11.29%
/User _500 3 2.67%
I'm close. What I've got now is a count & percentage, but the percentage is across all traffic, not just the traffic for the particular API.
index=web sourcetype=apache_logs | eval myAPI=url
| eval API_Status=myAPI . "_" . status
| chart count by API_Status
| eventstats sum(count) as total
| eval percent_of_all_APIs=count/total*100
| search API_Status="*_5*"
| fields - total
Any suggestions would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems more simple and direct to me:
index=web sourcetype=apache_logs
| stats count by url status
| eventstats sum(count) as total by url
| where status > 499 and status < 600
| eval percent_per_API = tostring(round(count * 100 / total,2) + "%"
| rename url as myAPI
| table myAPI status count percent_per_API
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems more simple and direct to me:
index=web sourcetype=apache_logs
| stats count by url status
| eventstats sum(count) as total by url
| where status > 499 and status < 600
| eval percent_per_API = tostring(round(count * 100 / total,2) + "%"
| rename url as myAPI
| table myAPI status count percent_per_API
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did it. In the form view, that search needed to be wrapped in <[!CDATA[ ]]> or have the ">" and "<" escaped.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @somesoni2 suggested, edit your eventstats as follows:
index=web sourcetype=apache_logs | eval myAPI=url
| eval API_Status=myAPI . "_" . status
| chart count by API_Status
| eventstats sum(count) as total by myAPI
| eval percent_of_all_APIs=count/total*100
| search API_Status="*_5*"
| fields - total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I may have been close, but this doesn't seem to do it...at least not yet.
I Added "by myAPI" to eventstats. The final chart output doesn't show the percent_of_all_APIs (which is named poorly, and should be percent_per_API) result.
I'm still missing something.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're closest your can get. Just add myAPI in your eventstats. 🙂
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!
