Splunk Search

SLA monitoring: percentage of slow transactions

Path Finder

I have selected and filtered a bunch of transactions that are part of KPI in our SLA.

We define "slow" transactions as transactions with a duration over 3 seconds.

Now that i have all transactions (and thus their durations) that have to be taken into account, how can i calculate how many % of those is considered "slow" ?

Tags (1)
1 Solution
Legend

You could use `eval` and `if` to divide the durations into "OK" and "Not OK" levels, for instance. Let's call the duration field `duration` and that it holds the values in whole seconds.

``````<yourbasesearch> | eval sla_level=if(duration>3,"Not OK","OK") | top sla_level
``````

This will give you a table with absolute count and percentage of each "Not OK" and "OK" durations. If you want to divide into more intervals, you could use `case` instead of `if` and define more levels.

EDIT: So in response to your comment regarding getting these stats per hour, here's how to do it:

``````<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level
``````

Filtering out all hours with less than 10 events requires some tricks but can be done like this:

``````<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level | untable _time sla_level count | where count>=10 | xyseries _time sla_level count
``````
Legend

You could use `eval` and `if` to divide the durations into "OK" and "Not OK" levels, for instance. Let's call the duration field `duration` and that it holds the values in whole seconds.

``````<yourbasesearch> | eval sla_level=if(duration>3,"Not OK","OK") | top sla_level
``````

This will give you a table with absolute count and percentage of each "Not OK" and "OK" durations. If you want to divide into more intervals, you could use `case` instead of `if` and define more levels.

EDIT: So in response to your comment regarding getting these stats per hour, here's how to do it:

``````<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level
``````

Filtering out all hours with less than 10 events requires some tricks but can be done like this:

``````<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level | untable _time sla_level count | where count>=10 | xyseries _time sla_level count
``````
Path Finder

You rock Ayn 🙂

Legend

That can certainly be done! Have a look at the response, I edited it to include searches that do what you want.

Path Finder

wow 🙂 what a quick reply.
that indeed is going in the right direction. I would need two things to add to it:
* I would like to see those percentages on a per hour basis (span=1h)

(and if possible ...)
* I am not interested in hours where there are less than 10 transactions.

Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...