Splunk Search

Porcentage two values

Miguel3393
Path Finder

Since I can get it to show me when the percentage of errors 69 and 10001 is greater than 10, with the following search it doesn't work, you can help me.

index="cdr"
| search "Tipo_Trafico"="*" "Codigo_error"="*"
| stats count(eval(Tipo_Trafico="MT")) AS Total_MT, count(eval(Codigo_error="69")) AS Error_69
| eval P_Error_69=((Error_69*100/Total_MT))

| stats count(eval(Tipo_Trafico="MT")) AS Total_MT, count(eval(Codigo_error="10001")) AS Error_10001
| eval P_Error_10001=((Error_10001*100/Total_MT))

| stats count by P_Error_69, P_Error_10001
| where count>10
Labels (3)
Tags (3)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Try this

index="cdr" "Tipo_Trafico"="*" "Codigo_error"="*" 
| eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0)
| stats count(eval(Tipo_Trafico="MT")) AS Total_MT sum(Error_*) as Error_*
| foreach Error_* [ eval Error_<<MATCHSTR>>_P=(('<<FIELD>>'*100/Total_MT)), ThresholdExceeded=if(Error_<<MATCHSTR>>_P > 10, 1, coalesce(ThresholdExceeded, 0)) ] 
| where ThresholdExceeded>0

View solution in original post

Miguel3393
Path Finder

Sorry, I misunderstood, it works correctly.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Try this

index="cdr" "Tipo_Trafico"="*" "Codigo_error"="*" 
| eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0)
| stats count(eval(Tipo_Trafico="MT")) AS Total_MT sum(Error_*) as Error_*
| foreach Error_* [ eval Error_<<MATCHSTR>>_P=(('<<FIELD>>'*100/Total_MT)), ThresholdExceeded=if(Error_<<MATCHSTR>>_P > 10, 1, coalesce(ThresholdExceeded, 0)) ] 
| where ThresholdExceeded>0

Miguel3393
Path Finder

If I wanted to add another error ,example Codigo_error="10001", what would I have to do?

0 Karma

Miguel3393
Path Finder

If I wanted to add another error ,example Codigo_error="11", what would I have to do?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

OK, if you want to add in more error code use cases, then change this line

| eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0)

Change it like to

| eval Error_{Codigo_error}=if(in(Codigo_error, "69", "10001", "11"), 1, 0) 

and add as many as needed 

bowesmana
SplunkTrust
SplunkTrust

@Miguel3393 actually if you change that line to 

| eval Error_{Codigo_error}=if(in(Codigo_error, "69", "10001", "11"), 1, null()) 

i.e. replace the final 0 with null() then you will not get all the extra columns for other Codigo_error values.

0 Karma

Miguel3393
Path Finder

Thanks for the response, it does show info, but it seems that it looks for all errors and not just 10001 and 69.

Miguel3393_0-1715290023752.png

and it seems not to respect that it only shows when the percentage is greater than 10.

Regards

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...