Splunk Search

Porcentage two values

Path Finder

Since I can get it to show me when the percentage of errors 69 and 10001 is greater than 10, with the following search it doesn't work, you can help me.

``````index="cdr"
| search "Tipo_Trafico"="*" "Codigo_error"="*"
| stats count(eval(Tipo_Trafico="MT")) AS Total_MT, count(eval(Codigo_error="69")) AS Error_69
| eval P_Error_69=((Error_69*100/Total_MT))

| stats count(eval(Tipo_Trafico="MT")) AS Total_MT, count(eval(Codigo_error="10001")) AS Error_10001
| eval P_Error_10001=((Error_10001*100/Total_MT))

| stats count by P_Error_69, P_Error_10001
| where count>10``````
Labels (3)

• stats

Tags (3)
1 Solution
SplunkTrust

Try this

``````index="cdr" "Tipo_Trafico"="*" "Codigo_error"="*"
| eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0)
| stats count(eval(Tipo_Trafico="MT")) AS Total_MT sum(Error_*) as Error_*
| foreach Error_* [ eval Error_<<MATCHSTR>>_P=(('<<FIELD>>'*100/Total_MT)), ThresholdExceeded=if(Error_<<MATCHSTR>>_P > 10, 1, coalesce(ThresholdExceeded, 0)) ]
| where ThresholdExceeded>0``````
Path Finder

Sorry, I misunderstood, it works correctly.

SplunkTrust

Try this

``````index="cdr" "Tipo_Trafico"="*" "Codigo_error"="*"
| eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0)
| stats count(eval(Tipo_Trafico="MT")) AS Total_MT sum(Error_*) as Error_*
| foreach Error_* [ eval Error_<<MATCHSTR>>_P=(('<<FIELD>>'*100/Total_MT)), ThresholdExceeded=if(Error_<<MATCHSTR>>_P > 10, 1, coalesce(ThresholdExceeded, 0)) ]
| where ThresholdExceeded>0``````
Path Finder

If I wanted to add another error ,example Codigo_error="10001", what would I have to do?

Path Finder

If I wanted to add another error ,example Codigo_error="11", what would I have to do?

SplunkTrust

OK, if you want to add in more error code use cases, then change this line

``| eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0)``

Change it like to

``| eval Error_{Codigo_error}=if(in(Codigo_error, "69", "10001", "11"), 1, 0) ``

and add as many as needed

SplunkTrust

@Miguel3393 actually if you change that line to

``| eval Error_{Codigo_error}=if(in(Codigo_error, "69", "10001", "11"), 1, null()) ``

i.e. replace the final 0 with null() then you will not get all the extra columns for other Codigo_error values.

Path Finder

Thanks for the response, it does show info, but it seems that it looks for all errors and not just 10001 and 69.

and it seems not to respect that it only shows when the percentage is greater than 10.

Regards

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...