Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to calculate % of a specific error

Shahnoor
Explorer
‎07-25-2024 08:02 AM

I have a number of events in 2 category (CAT A and CAT B). There are successful events and failed events with different RESULT value. I need to calculate error percentage of a specific failed event (RESULT = 404) that occurs in only CAT B. 

I need to segregate CAT A from calculation. Then the final result result should be:

( count(RESULT = 404) / count(CAT B) * 100 ) and plot for every 5 minutes.

Please suggest.
 

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-25-2024 08:27 AM

Hi @Shahnoor ,

you should try something like this:

index=your_index CAT=B
| bin span=5m _time
| stats count(eval(RESULT="404")) AS 404_count count BY _time
| eval perc=404_count/count*100

to adapt to your conditons (e.g. CAT=B).

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Shahnoor
Explorer
‎07-25-2024 09:00 AM

Thanks a lot Giuseppe! Sincerely appreciate your quick response. I'm getting error percentage now.

One small problem: for all the 5 minute spans throughout last 24 hour, I'm getting exactly same number of both total event and error as well. So the error percentage is constant over time (Error count: 106, Event count: 1525, percentage: 6.95%). I know this is not correct. Number of events vary over peak and off-peak hour.

Do you think it's calculating same data and plotting over different time? This is my current script looks like:

index=my_index CAT=B
| bin span=5m _time
| stats count(eval(RESULT="404")) AS Error_count count BY _time
| eval Error_Percentage=round(Error_count/count*100,4)

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-25-2024 09:18 AM

Hi @Shahnoor ,

are you sure that number of events and errors in slices of 5 minutes are different?

because the search is correct.

please try these two searches and manually compare results:

index=my_index CAT=B
| timechart span=5m count(eval(RESULT="404")) AS Error_count

and

index=my_index CAT=B
| timechart span=5m count

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Shahnoor
Explorer
‎07-25-2024 09:44 AM

You're right.  It is still showing same amount in every interval. Thanks a lot.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-25-2024 08:27 AM

Hi @Shahnoor ,

you should try something like this:

index=your_index CAT=B
| bin span=5m _time
| stats count(eval(RESULT="404")) AS 404_count count BY _time
| eval perc=404_count/count*100

to adapt to your conditons (e.g. CAT=B).

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...