Splunk Search

Need to create a search thatshows both success percentage and failure count in dual axis combo chart.

vijaysubramania
Path Finder

Hi,

I need to write a search that shows both the success percentage and failure count in a dual axis combo chart.

I am able to do it independently, but unable to do it in a combo chart, which is only showing the trend for the last 7 days (y-axis) while failure events will give the overall count for the day (x-axis).

"requestMethod=POST AND "/customerentitlementsservice/v1/ces/account*" responseStatus"

Success trend:

|dedup requestId 
|eval FailureCount=if((responseStatus != 200) OR like(Status,"%,%"),1,0) 
|bin _time span=1d 
|stats  count as Total, sum(FailureCount) as Fail by _time 
|eval successrate=Round(((Total-Fail)*100)/Total,2 )
|eval Date =strftime(_time, "%m/%d/%y") 
|chart values(successrate)  AS Successrate% by Date
0 Karma

maityayan1996
Path Finder

Use this below query which will give you the successrate along with sum(failcount) per day basis in a single chart. Please accept the answer once you resolve the issue. Thanks

|dedup requestId
|eval FailureCount=if((Status!=200) OR like(Status,"%,%"),1,0)
|bin _time span=1d
|stats count as Total, sum(FailureCount) as Fail by _time
|eval successrate=Round(((Total-Fail)*100)/Total,2 )
|eval Date =strftime(_time, "%m/%d/%y")
| stats values(Fail) as Fail , values(successrate) as successrate by _time

0 Karma

vijaysubramania
Path Finder

Thanks maityayan. This works,

I did it in other way around but only problem is printing in 6 decimals

|stats count(eval(responseStatus=200)) as Success, count as Total by _time
|eval Percent=round((Success/Total)*100,2), Failure=Total-Success |eval Date =strftime(_time, "%m/%d/%y")
|timechart avg(Percent) AS Successrate%, avg(Failure) AS Failed-Session-Count

94.680000 617.000000

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...