Hi,
I need help in a splunk search.
My requirement is get the stats for failed and successful count along with the percentage of Failed and Successful and at last I would need to fetch the stats only when the failed % is > 10 %
My query works fine until the below
index=abcd
| eval status= case(statuscode < 400, "Success", statuscode > 399,"Failed")
| stats count(status) as TOTAL count(eval(status="Success")) as Success_count count(eval(status="Failed")) as Failed_count by Name, URL
| eval Success%= ((Success_count /TOTAL)*100)
| eval Failed%= ((Failed_count /TOTAL)*100)
The above works and I get the table with Name URL TOTAL Success_count Failed_count Success% Failed%
Now, when I add the below to the above query, It fails
| where Failed% > 10
How do I get the failed% > 10 with the above table. Please assist
I think Splunk can be finicky about some special characters in fieldnames when evaluating logic statements
I think the same applies for fieldnames containing "{" or "}" and maybe even "."
Many thanks for the update. I will verify and get back to you
You may need to put single quotes around your field in the where clause
Example:
| makeresults
| eval
"Fail%"=25
| where 'Fail%'>10
I think Splunk can be finicky about some special characters in fieldnames when evaluating logic statements
I think the same applies for fieldnames containing "{" or "}" and maybe even "."
Hi
my hint is to use some filenames which don't contains any special marks when you are searching, calculate or manipulate data. If/when you want those "fancy names" on your output it's better to use like
on last command on your SPL. With this way you will get much easier life with SPL 😉
r. Ismo
Many thanks for all your inputs. It is working as expected