Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Percent of Error Help
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jbouch03
Path Finder
08-20-2013
08:51 AM
I am relatively new to Splunk and I am trying to create a percent of error metric. I have two log sources that have a common field named title. One log contains that amount of images processed, while the other processes the number of errors. I am trying to correlate the logs together and output a table that shows the percentage of errors compared to the number processed.
My query looks like this so far:
sourcetype="processed" OR sourcetype="error" | transaction maxspan=1d Title connected=f
after this I'm stuck. Can some one please help me out
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
08-20-2013
10:44 AM
Since we can't see the data, what you want is a bit unclear. But, try this
sourcetype="processed" OR sourcetype="error"
| stats count(eval(sourcetype="processed")) as Successful count(eval(sourcetype="error")) as Error by Title
| eval Total = Error + Successful
| eval PercentSuccessful = round(Successful * 100 / Total, 2)
| eval PercentErrors = round(Errors * 100 / Total, 2)
| table Title Total Successful Error PercentSuccessful PercentErrors
Also, this will be a lot faster than the transaction command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
08-20-2013
10:44 AM
Since we can't see the data, what you want is a bit unclear. But, try this
sourcetype="processed" OR sourcetype="error"
| stats count(eval(sourcetype="processed")) as Successful count(eval(sourcetype="error")) as Error by Title
| eval Total = Error + Successful
| eval PercentSuccessful = round(Successful * 100 / Total, 2)
| eval PercentErrors = round(Errors * 100 / Total, 2)
| table Title Total Successful Error PercentSuccessful PercentErrors
Also, this will be a lot faster than the transaction command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jbouch03
Path Finder
08-20-2013
10:54 AM
Thanks for the reply. Sorry I couldn't add data to the explanation but its confidential in nature. I tried your query and it worked, but I had just finished a similar query that just got the percentage information. I used the following query (PatientID was the title):
sourcetype="processed" | stats count as Proc | join type=outer max=0 overwrite=false PatientID [search sourcetype="error" | stats count as Err] | eval percent_difference=((Err/Proc)*100) | eval percent_difference=round(percent_difference,0) | table percent_difference
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
