Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Query - How to check failed % > X
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I need help in a splunk search.
My requirement is get the stats for failed and successful count along with the percentage of Failed and Successful and at last I would need to fetch the stats only when the failed % is > 10 %
My query works fine until the below
index=abcd
| eval status= case(statuscode < 400, "Success", statuscode > 399,"Failed")
| stats count(status) as TOTAL count(eval(status="Success")) as Success_count count(eval(status="Failed")) as Failed_count by Name, URL
| eval Success%= ((Success_count /TOTAL)*100)
| eval Failed%= ((Failed_count /TOTAL)*100)
The above works and I get the table with Name URL TOTAL Success_count Failed_count Success% Failed%
Now, when I add the below to the above query, It fails
| where Failed% > 10
How do I get the failed% > 10 with the above table. Please assist
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think Splunk can be finicky about some special characters in fieldnames when evaluating logic statements
I think the same applies for fieldnames containing "{" or "}" and maybe even "."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks for the update. I will verify and get back to you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may need to put single quotes around your field in the where clause
Example:
| makeresults
| eval
"Fail%"=25
| where 'Fail%'>10- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think Splunk can be finicky about some special characters in fieldnames when evaluating logic statements
I think the same applies for fieldnames containing "{" or "}" and maybe even "."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
my hint is to use some filenames which don't contains any special marks when you are searching, calculate or manipulate data. If/when you want those "fancy names" on your output it's better to use like
- rename fooPercent as foo%
- rename bar as "this is bar"
on last command on your SPL. With this way you will get much easier life with SPL 😉
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks for all your inputs. It is working as expected
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
