Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search Help- Not sure how to Title
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Substance82
Path Finder
08-23-2024
10:12 AM
I'm trying to achieve the following output using the table command, but am hitting a snag.
| Vision ID | Transactions | Good | % Good | Fair | % Fair | Unacceptable | % Unacceptable | Average Response Time | Report Date |
| ABC STORE (ABCD) | 159666494 | 159564563 | 99.9361601 | 101413 | 0.063515518 | 518 | 0.000324426 | 0.103864001 | Jul-24 |
| Total | 159666494 | 159564563 | 99.9361601 | 101413 | 0.063515518 | 518 | 0.000324426 | 0.103864001 | Jul-24 |
| Thresholds | response <= 1s | 1s < response <= 3s | 3s < response |
Here is my broken query:
index=etims_na
sourcetype=etims_prod
platformId=5
bank_fiid = ABCD
| eval response_time=round(if(strftime(_time,"%Z") == "EDT",((j_timestamp-entry_timestamp)-14400000000)/1000000,((j_timestamp-entry_timestamp)-14400000000)/1000000-3600),3)
| stats count AS Total count(eval(response_time<=1)) AS "Good" count(eval(response_time<=2)) AS "Fair" count(eval(response_time>2)) AS "Unacceptable" avg(response_time) AS "Average" BY Vision_ID
| eval %Good= round((Good/total)*100,2), %Fair = round((Fair/total)*100,2), %Unacceptable = round((Unacceptable/total)*100,2)
| addinfo
| eval "Report Date"=strftime(info_min_time, "%m/%Y")
| table "Vision_ID", "Transactions", "Good", "%Good" "Fair", "%Fair", "Unacceptable", "%Unacceptable", "Average", "Report Date"The help is always appreciated. Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Substance82
Path Finder
08-23-2024
11:09 AM
Read my notes and kept trying until I got it!
index=etims_na
sourcetype=etims_prod
platformId=5
bank_fiid=COST
| eval response_time=round(if(strftime(_time,"%Z") == "EDT",((j_timestamp-entry_timestamp)-14400000000)/1000000,((j_timestamp-entry_timestamp)-14400000000)/1000000-3600),3)
| stats count AS Transactions count(eval(response_time <= 1)) AS "Good" count(eval(response_time <= 2)) AS "Fair" count(eval(response_time > 2)) AS "Unacceptable" avg(response_time) AS "Average" BY bank_fiid
| eval "%Good"=(Good/Transactions)*100
| eval "%Fair"=(Fair/Transactions)*100
| eval "%Unacceptable"=(Unacceptable/Transactions)*100
| addinfo
| eval "Report Date"=strftime(info_min_time, "%m/%Y")
| table bank_fiid, "Transactions", "Good", "%Good" "Fair", "%Fair", "Unacceptable", "%Unacceptable", "Average", "Report Date"
| rename bank_fid as "Vision ID"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Substance82
Path Finder
08-23-2024
11:09 AM
Read my notes and kept trying until I got it!
index=etims_na
sourcetype=etims_prod
platformId=5
bank_fiid=COST
| eval response_time=round(if(strftime(_time,"%Z") == "EDT",((j_timestamp-entry_timestamp)-14400000000)/1000000,((j_timestamp-entry_timestamp)-14400000000)/1000000-3600),3)
| stats count AS Transactions count(eval(response_time <= 1)) AS "Good" count(eval(response_time <= 2)) AS "Fair" count(eval(response_time > 2)) AS "Unacceptable" avg(response_time) AS "Average" BY bank_fiid
| eval "%Good"=(Good/Transactions)*100
| eval "%Fair"=(Fair/Transactions)*100
| eval "%Unacceptable"=(Unacceptable/Transactions)*100
| addinfo
| eval "Report Date"=strftime(info_min_time, "%m/%Y")
| table bank_fiid, "Transactions", "Good", "%Good" "Fair", "%Fair", "Unacceptable", "%Unacceptable", "Average", "Report Date"
| rename bank_fid as "Vision ID"
Get Updates on the Splunk Community!
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...
