Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Percent of Error Help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am relatively new to Splunk and I am trying to create a percent of error metric. I have two log sources that have a common field named title. One log contains that amount of images processed, while the other processes the number of errors. I am trying to correlate the logs together and output a table that shows the percentage of errors compared to the number processed.
My query looks like this so far:
sourcetype="processed" OR sourcetype="error" | transaction maxspan=1d Title connected=f
after this I'm stuck. Can some one please help me out
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since we can't see the data, what you want is a bit unclear. But, try this
sourcetype="processed" OR sourcetype="error"
| stats count(eval(sourcetype="processed")) as Successful count(eval(sourcetype="error")) as Error by Title
| eval Total = Error + Successful
| eval PercentSuccessful = round(Successful * 100 / Total, 2)
| eval PercentErrors = round(Errors * 100 / Total, 2)
| table Title Total Successful Error PercentSuccessful PercentErrors
Also, this will be a lot faster than the transaction command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since we can't see the data, what you want is a bit unclear. But, try this
sourcetype="processed" OR sourcetype="error"
| stats count(eval(sourcetype="processed")) as Successful count(eval(sourcetype="error")) as Error by Title
| eval Total = Error + Successful
| eval PercentSuccessful = round(Successful * 100 / Total, 2)
| eval PercentErrors = round(Errors * 100 / Total, 2)
| table Title Total Successful Error PercentSuccessful PercentErrors
Also, this will be a lot faster than the transaction command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. Sorry I couldn't add data to the explanation but its confidential in nature. I tried your query and it worked, but I had just finished a similar query that just got the percentage information. I used the following query (PatientID was the title):
sourcetype="processed" | stats count as Proc | join type=outer max=0 overwrite=false PatientID [search sourcetype="error" | stats count as Err] | eval percent_difference=((Err/Proc)*100) | eval percent_difference=round(percent_difference,0) | table percent_difference
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
