Solved: Query to get top 5 failures

s_kandula · ‎05-13-2020

I have events being sent to Splunk which will have the following fields
MsgID, Status(Failure/Success)
I need to get the list of top 5 MsgIDs with maximum failures. And display each of the 5 MsgIDs in a pie chart, with success and failure percentages.

I am able to get the top 5 failures, but unable to figure out how to get both success and faliures as percentages for top 5 failures.
Please help

richgalloway · ‎05-13-2020

This query will give you successes and failures as percentages, but I don't know a way to get both into the same pie chart.

... | stats count as Total, count(eval(Status=="Failure")) as Failures, count(eval(Status=="Success")) as Successes by MsgID
| sort 5 - Failures
| eval PctFailure = Failures * 100 / Total, PctSuccess = Successes * 100 / Total
| chart PctFailure by MsgID

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-13-2020

This query will give you successes and failures as percentages, but I don't know a way to get both into the same pie chart.

... | stats count as Total, count(eval(Status=="Failure")) as Failures, count(eval(Status=="Success")) as Successes by MsgID
| sort 5 - Failures
| eval PctFailure = Failures * 100 / Total, PctSuccess = Successes * 100 / Total
| chart PctFailure by MsgID

---
If this reply helps you, Karma would be appreciated.

Query to get top 5 failures

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Query to get top 5 failures

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!