I have selected and filtered a bunch of transactions that are part of KPI in our SLA.
We define "slow" transactions as transactions with a duration over 3 seconds.
Now that i have all transactions (and thus their durations) that have to be taken into account, how can i calculate how many % of those is considered "slow" ?
Thanks in advance
You could use eval
and if
to divide the durations into "OK" and "Not OK" levels, for instance. Let's call the duration field duration
and that it holds the values in whole seconds.
<yourbasesearch> | eval sla_level=if(duration>3,"Not OK","OK") | top sla_level
This will give you a table with absolute count and percentage of each "Not OK" and "OK" durations. If you want to divide into more intervals, you could use case
instead of if
and define more levels.
EDIT: So in response to your comment regarding getting these stats per hour, here's how to do it:
<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level
Filtering out all hours with less than 10 events requires some tricks but can be done like this:
<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level | untable _time sla_level count | where count>=10 | xyseries _time sla_level count
You could use eval
and if
to divide the durations into "OK" and "Not OK" levels, for instance. Let's call the duration field duration
and that it holds the values in whole seconds.
<yourbasesearch> | eval sla_level=if(duration>3,"Not OK","OK") | top sla_level
This will give you a table with absolute count and percentage of each "Not OK" and "OK" durations. If you want to divide into more intervals, you could use case
instead of if
and define more levels.
EDIT: So in response to your comment regarding getting these stats per hour, here's how to do it:
<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level
Filtering out all hours with less than 10 events requires some tricks but can be done like this:
<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level | untable _time sla_level count | where count>=10 | xyseries _time sla_level count
You rock Ayn 🙂
That can certainly be done! Have a look at the response, I edited it to include searches that do what you want.
wow 🙂 what a quick reply.
that indeed is going in the right direction. I would need two things to add to it:
* I would like to see those percentages on a per hour basis (span=1h)
(and if possible ...)
* I am not interested in hours where there are less than 10 transactions.