Splunk Search

SLA monitoring: percentage of slow transactions

bowa
Path Finder

I have selected and filtered a bunch of transactions that are part of KPI in our SLA.

We define "slow" transactions as transactions with a duration over 3 seconds.

Now that i have all transactions (and thus their durations) that have to be taken into account, how can i calculate how many % of those is considered "slow" ?

Thanks in advance

Tags (1)
0 Karma
1 Solution

Ayn
Legend

You could use eval and if to divide the durations into "OK" and "Not OK" levels, for instance. Let's call the duration field duration and that it holds the values in whole seconds.

<yourbasesearch> | eval sla_level=if(duration>3,"Not OK","OK") | top sla_level

This will give you a table with absolute count and percentage of each "Not OK" and "OK" durations. If you want to divide into more intervals, you could use case instead of if and define more levels.

EDIT: So in response to your comment regarding getting these stats per hour, here's how to do it:

<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level

Filtering out all hours with less than 10 events requires some tricks but can be done like this:

<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level | untable _time sla_level count | where count>=10 | xyseries _time sla_level count

View solution in original post

0 Karma

Ayn
Legend

You could use eval and if to divide the durations into "OK" and "Not OK" levels, for instance. Let's call the duration field duration and that it holds the values in whole seconds.

<yourbasesearch> | eval sla_level=if(duration>3,"Not OK","OK") | top sla_level

This will give you a table with absolute count and percentage of each "Not OK" and "OK" durations. If you want to divide into more intervals, you could use case instead of if and define more levels.

EDIT: So in response to your comment regarding getting these stats per hour, here's how to do it:

<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level

Filtering out all hours with less than 10 events requires some tricks but can be done like this:

<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level | untable _time sla_level count | where count>=10 | xyseries _time sla_level count
0 Karma

bowa
Path Finder

You rock Ayn 🙂

0 Karma

Ayn
Legend

That can certainly be done! Have a look at the response, I edited it to include searches that do what you want.

0 Karma

bowa
Path Finder

wow 🙂 what a quick reply.
that indeed is going in the right direction. I would need two things to add to it:
* I would like to see those percentages on a per hour basis (span=1h)

(and if possible ...)
* I am not interested in hours where there are less than 10 transactions.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...