Splunk Search

Looking for a percent of a subset of data

davidpaper
Contributor

Greetings,

I've got a handful of API URLS, some with HTTP return status of 200, 201, and 500. I'm trying to come up with a search that returns the count of 500's and a percent of 500's for each API URL over the total of all of the responses for just that API URL. Example aggregated data set (out of Apache logs):

/Account (HTTP 200): 50 
/Account (HTTP 201): 60 
/Account (HTTP 500): 14 
Total: 124
/User (HTTP 200): 75 
/User (HTTP 201): 34 
/User (HTTP 500): 3 
Total: 112

What I'm looking to get is something like:

API_Status              Count         Percent
/Account_500            14            11.29%
/User _500              3             2.67%

I'm close. What I've got now is a count & percentage, but the percentage is across all traffic, not just the traffic for the particular API.

index=web sourcetype=apache_logs | eval myAPI=url 
| eval API_Status=myAPI . "_" . status  
| chart count by API_Status  
| eventstats sum(count) as total  
| eval percent_of_all_APIs=count/total*100  
| search API_Status="*_5*"  
| fields - total

Any suggestions would be greatly appreciated.

0 Karma
1 Solution

lguinn2
Legend

This seems more simple and direct to me:

index=web sourcetype=apache_logs 
| stats count by url status
| eventstats sum(count) as total by url
| where status > 499 and status < 600
| eval percent_per_API = tostring(round(count * 100 / total,2) + "%"
| rename url as myAPI 
| table myAPI status count percent_per_API

View solution in original post

lguinn2
Legend

This seems more simple and direct to me:

index=web sourcetype=apache_logs 
| stats count by url status
| eventstats sum(count) as total by url
| where status > 499 and status < 600
| eval percent_per_API = tostring(round(count * 100 / total,2) + "%"
| rename url as myAPI 
| table myAPI status count percent_per_API

davidpaper
Contributor

That did it. In the form view, that search needed to be wrapped in <[!CDATA[ ]]> or have the ">" and "<" escaped.

Thanks!

0 Karma

lguinn2
Legend

As @somesoni2 suggested, edit your eventstats as follows:

index=web sourcetype=apache_logs  | eval myAPI=url 
| eval API_Status=myAPI . "_" . status  
| chart count by API_Status  
| eventstats sum(count) as total by myAPI
| eval percent_of_all_APIs=count/total*100  
| search API_Status="*_5*"  
| fields - total

davidpaper
Contributor

I may have been close, but this doesn't seem to do it...at least not yet.

I Added "by myAPI" to eventstats. The final chart output doesn't show the percent_of_all_APIs (which is named poorly, and should be percent_per_API) result.

I'm still missing something.

0 Karma

somesoni2
Revered Legend

You're closest your can get. Just add myAPI in your eventstats. 🙂

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...