Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to calculate % of a specific error

Shahnoor
Explorer
‎07-25-2024 08:02 AM

I have a number of events in 2 category (CAT A and CAT B). There are successful events and failed events with different RESULT value. I need to calculate error percentage of a specific failed event (RESULT = 404) that occurs in only CAT B. 

I need to segregate CAT A from calculation. Then the final result result should be:

( count(RESULT = 404) / count(CAT B) * 100 ) and plot for every 5 minutes.

Please suggest.
 

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-25-2024 08:27 AM

Hi @Shahnoor ,

you should try something like this:

index=your_index CAT=B
| bin span=5m _time
| stats count(eval(RESULT="404")) AS 404_count count BY _time
| eval perc=404_count/count*100

to adapt to your conditons (e.g. CAT=B).

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Shahnoor
Explorer
‎07-25-2024 09:00 AM

Thanks a lot Giuseppe! Sincerely appreciate your quick response. I'm getting error percentage now.

One small problem: for all the 5 minute spans throughout last 24 hour, I'm getting exactly same number of both total event and error as well. So the error percentage is constant over time (Error count: 106, Event count: 1525, percentage: 6.95%). I know this is not correct. Number of events vary over peak and off-peak hour.

Do you think it's calculating same data and plotting over different time? This is my current script looks like:

index=my_index CAT=B
| bin span=5m _time
| stats count(eval(RESULT="404")) AS Error_count count BY _time
| eval Error_Percentage=round(Error_count/count*100,4)

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-25-2024 09:18 AM

Hi @Shahnoor ,

are you sure that number of events and errors in slices of 5 minutes are different?

because the search is correct.

please try these two searches and manually compare results:

index=my_index CAT=B
| timechart span=5m count(eval(RESULT="404")) AS Error_count

and

index=my_index CAT=B
| timechart span=5m count

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Shahnoor
Explorer
‎07-25-2024 09:44 AM

You're right.  It is still showing same amount in every interval. Thanks a lot.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-25-2024 08:27 AM

Hi @Shahnoor ,

you should try something like this:

index=your_index CAT=B
| bin span=5m _time
| stats count(eval(RESULT="404")) AS 404_count count BY _time
| eval perc=404_count/count*100

to adapt to your conditons (e.g. CAT=B).

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...