Splunk Search

Search Query Help =(

Engager

I am trying to monitor the percentages of 500's per endpoint of my api. I currently am returning all of the information and want to only show results if the percentage goes over 5%. (this way I can alert whenever the report is ran and there are greater than 0 results.

sourcetype=MyApiAccessLog

| eval path=My
Path

| eval endpoint = method." ".path

| eval iserror=if(status=500,1,0)

| eval erruser=if(iserror==1, userid, null())

| stats sum(iserror) as errors, count as total, dc(err_user) as users by endpoint

| where errors != 0

| eval percent=round(100*errors/total,2)."%"

| fields endpoint, errors, total, percent, users

| sort -percent

This is working great, but when I add:

| where percent > 5

I get no results even though I know I have endpoints over 5% error rates.
Any ideas?

Tags (5)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

When you append the symbol "%" to your percent field, you change it's type from numerical to string. Comparing a string to a numeric value will render no results. This akin to comparing "5%" > 5.

Change

 | eval percent=round(100*errors/total,2)."%" 

to this:

| eval percent=round(100*errors/total,2)

And add this to the end of your search.

| eval percent=percent."%"

View solution in original post

Splunk Employee
Splunk Employee

When you append the symbol "%" to your percent field, you change it's type from numerical to string. Comparing a string to a numeric value will render no results. This akin to comparing "5%" > 5.

Change

 | eval percent=round(100*errors/total,2)."%" 

to this:

| eval percent=round(100*errors/total,2)

And add this to the end of your search.

| eval percent=percent."%"

View solution in original post

Engager

Oh my God...Im so stupid. Thank you. I cam back to this search after writing it a month ago and forgot I added that for aesthetics. Fresh pair of eyes. You sir, saved my sanity.

http://24.media.tumblr.com/022c89f083711e52d47f5dc75db33db6/tumblr_mocdvvCOSs1srujzdo1_500.gif

0 Karma