- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Query - How to check failed % > X
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I need help in a splunk search.
My requirement is get the stats for failed and successful count along with the percentage of Failed and Successful and at last I would need to fetch the stats only when the failed % is > 10 %
My query works fine until the below
index=abcd
| eval status= case(statuscode < 400, "Success", statuscode > 399,"Failed")
| stats count(status) as TOTAL count(eval(status="Success")) as Success_count count(eval(status="Failed")) as Failed_count by Name, URL
| eval Success%= ((Success_count /TOTAL)*100)
| eval Failed%= ((Failed_count /TOTAL)*100)
The above works and I get the table with Name URL TOTAL Success_count Failed_count Success% Failed%
Now, when I add the below to the above query, It fails
| where Failed% > 10
How do I get the failed% > 10 with the above table. Please assist
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think Splunk can be finicky about some special characters in fieldnames when evaluating logic statements
I think the same applies for fieldnames containing "{" or "}" and maybe even "."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks for the update. I will verify and get back to you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may need to put single quotes around your field in the where clause
Example:
| makeresults
| eval
"Fail%"=25
| where 'Fail%'>10- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think Splunk can be finicky about some special characters in fieldnames when evaluating logic statements
I think the same applies for fieldnames containing "{" or "}" and maybe even "."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
my hint is to use some filenames which don't contains any special marks when you are searching, calculate or manipulate data. If/when you want those "fancy names" on your output it's better to use like
- rename fooPercent as foo%
- rename bar as "this is bar"
on last command on your SPL. With this way you will get much easier life with SPL 😉
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks for all your inputs. It is working as expected
3 Ways to Make OpenTelemetry Even Better
What's New in Splunk Cloud Platform 9.2.2406?
Enterprise Security Content Update (ESCU) | New Releases
