Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to calculate % of a specific error

Shahnoor
Explorer
‎07-25-2024 08:02 AM

I have a number of events in 2 category (CAT A and CAT B). There are successful events and failed events with different RESULT value. I need to calculate error percentage of a specific failed event (RESULT = 404) that occurs in only CAT B. 

I need to segregate CAT A from calculation. Then the final result result should be:

( count(RESULT = 404) / count(CAT B) * 100 ) and plot for every 5 minutes.

Please suggest.
 

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-25-2024 08:27 AM

Hi @Shahnoor ,

you should try something like this:

index=your_index CAT=B
| bin span=5m _time
| stats count(eval(RESULT="404")) AS 404_count count BY _time
| eval perc=404_count/count*100

to adapt to your conditons (e.g. CAT=B).

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Shahnoor
Explorer
‎07-25-2024 09:00 AM

Thanks a lot Giuseppe! Sincerely appreciate your quick response. I'm getting error percentage now.

One small problem: for all the 5 minute spans throughout last 24 hour, I'm getting exactly same number of both total event and error as well. So the error percentage is constant over time (Error count: 106, Event count: 1525, percentage: 6.95%). I know this is not correct. Number of events vary over peak and off-peak hour.

Do you think it's calculating same data and plotting over different time? This is my current script looks like:

index=my_index CAT=B
| bin span=5m _time
| stats count(eval(RESULT="404")) AS Error_count count BY _time
| eval Error_Percentage=round(Error_count/count*100,4)

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-25-2024 09:18 AM

Hi @Shahnoor ,

are you sure that number of events and errors in slices of 5 minutes are different?

because the search is correct.

please try these two searches and manually compare results:

index=my_index CAT=B
| timechart span=5m count(eval(RESULT="404")) AS Error_count

and

index=my_index CAT=B
| timechart span=5m count

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Shahnoor
Explorer
‎07-25-2024 09:44 AM

You're right.  It is still showing same amount in every interval. Thanks a lot.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-25-2024 08:27 AM

Hi @Shahnoor ,

you should try something like this:

index=your_index CAT=B
| bin span=5m _time
| stats count(eval(RESULT="404")) AS 404_count count BY _time
| eval perc=404_count/count*100

to adapt to your conditons (e.g. CAT=B).

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...