Re: Need to create a search thatshows both success...

vijaysubramania · ‎05-18-2020

Hi,

I need to write a search that shows both the success percentage and failure count in a dual axis combo chart.

I am able to do it independently, but unable to do it in a combo chart, which is only showing the trend for the last 7 days (y-axis) while failure events will give the overall count for the day (x-axis).

"requestMethod=POST AND "/customerentitlementsservice/v1/ces/account*" responseStatus"

Success trend:

|dedup requestId 
|eval FailureCount=if((responseStatus != 200) OR like(Status,"%,%"),1,0) 
|bin _time span=1d 
|stats  count as Total, sum(FailureCount) as Fail by _time 
|eval successrate=Round(((Total-Fail)*100)/Total,2 )
|eval Date =strftime(_time, "%m/%d/%y") 
|chart values(successrate)  AS Successrate% by Date

maityayan1996 · ‎05-19-2020

Use this below query which will give you the successrate along with sum(failcount) per day basis in a single chart. Please accept the answer once you resolve the issue. Thanks

|dedup requestId
|eval FailureCount=if((Status!=200) OR like(Status,"%,%"),1,0)
|bin _time span=1d
|stats count as Total, sum(FailureCount) as Fail by _time
|eval successrate=Round(((Total-Fail)*100)/Total,2 )
|eval Date =strftime(_time, "%m/%d/%y")
| stats values(Fail) as Fail , values(successrate) as successrate by _time

vijaysubramania · ‎05-20-2020

Thanks maityayan. This works,

I did it in other way around but only problem is printing in 6 decimals

|stats count(eval(responseStatus=200)) as Success, count as Total by _time
|eval Percent=round((Success/Total)*100,2), Failure=Total-Success |eval Date =strftime(_time, "%m/%d/%y")
|timechart avg(Percent) AS Successrate%, avg(Failure) AS Failed-Session-Count

94.680000 617.000000

Need to create a search thatshows both success percentage and failure count in dual axis combo chart.

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!