Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Porcentage two values

Miguel3393
Path Finder
‎05-08-2024 07:14 PM

Since I can get it to show me when the percentage of errors 69 and 10001 is greater than 10, with the following search it doesn't work, you can help me.

index="cdr"
| search "Tipo_Trafico"="*" "Codigo_error"="*"
| stats count(eval(Tipo_Trafico="MT")) AS Total_MT, count(eval(Codigo_error="69")) AS Error_69
| eval P_Error_69=((Error_69*100/Total_MT))

| stats count(eval(Tipo_Trafico="MT")) AS Total_MT, count(eval(Codigo_error="10001")) AS Error_10001
| eval P_Error_10001=((Error_10001*100/Total_MT))

| stats count by P_Error_69, P_Error_10001
| where count>10
Labels (3)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2024 08:20 PM

Try this

index="cdr" "Tipo_Trafico"="*" "Codigo_error"="*" 
| eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0)
| stats count(eval(Tipo_Trafico="MT")) AS Total_MT sum(Error_*) as Error_*
| foreach Error_* [ eval Error_<<MATCHSTR>>_P=(('<<FIELD>>'*100/Total_MT)), ThresholdExceeded=if(Error_<<MATCHSTR>>_P > 10, 1, coalesce(ThresholdExceeded, 0)) ] 
| where ThresholdExceeded>0

View solution in original post

Reply
Solved! Jump to solution

Miguel3393
Path Finder
‎05-09-2024 05:02 PM

Sorry, I misunderstood, it works correctly.

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2024 08:20 PM

Try this

index="cdr" "Tipo_Trafico"="*" "Codigo_error"="*" 
| eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0)
| stats count(eval(Tipo_Trafico="MT")) AS Total_MT sum(Error_*) as Error_*
| foreach Error_* [ eval Error_<<MATCHSTR>>_P=(('<<FIELD>>'*100/Total_MT)), ThresholdExceeded=if(Error_<<MATCHSTR>>_P > 10, 1, coalesce(ThresholdExceeded, 0)) ] 
| where ThresholdExceeded>0
Reply
Solved! Jump to solution

Miguel3393
Path Finder
‎05-09-2024 05:42 PM

If I wanted to add another error ,example Codigo_error="10001", what would I have to do?

0 Karma
Reply
Solved! Jump to solution

Miguel3393
Path Finder
‎05-09-2024 05:43 PM

If I wanted to add another error ,example Codigo_error="11", what would I have to do?

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-09-2024 06:10 PM

OK, if you want to add in more error code use cases, then change this line

| eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0)

Change it like to

| eval Error_{Codigo_error}=if(in(Codigo_error, "69", "10001", "11"), 1, 0)

and add as many as needed 

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-09-2024 06:15 PM

@Miguel3393 actually if you change that line to 

| eval Error_{Codigo_error}=if(in(Codigo_error, "69", "10001", "11"), 1, null())

i.e. replace the final 0 with null() then you will not get all the extra columns for other Codigo_error values.

0 Karma
Reply
Solved! Jump to solution

Miguel3393
Path Finder
‎05-09-2024 02:30 PM

Thanks for the response, it does show info, but it seems that it looks for all errors and not just 10001 and 69.

Miguel3393_0-1715290023752.png

and it seems not to respect that it only shows when the percentage is greater than 10.

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...