I am trying to monitor the percentages of 500's per endpoint of my api. I currently am returning all of the information and want to only show results if the percentage goes over 5%. (this way I can alert whenever the report is ran and there are greater than 0 results.
sourcetype=My_Api_Access_Log
| eval path=My_Path
| eval endpoint = method." ".path
| eval iserror=if(status=500,1,0)
| eval err_user=if(iserror==1, user_id, null())
| stats sum(iserror) as errors, count as total, dc(err_user) as users by endpoint
| where errors != 0
| eval percent=round(100*errors/total,2)."%"
| fields endpoint, errors, total, percent, users
| sort -percent
This is working great, but when I add:
| where percent > 5
I get no results even though I know I have endpoints over 5% error rates.
Any ideas?
When you append the symbol "%" to your percent field, you change it's type from numerical to string. Comparing a string to a numeric value will render no results. This akin to comparing "5%" > 5.
Change
| eval percent=round(100*errors/total,2)."%"
to this:
| eval percent=round(100*errors/total,2)
And add this to the end of your search.
| eval percent=percent."%"
When you append the symbol "%" to your percent field, you change it's type from numerical to string. Comparing a string to a numeric value will render no results. This akin to comparing "5%" > 5.
Change
| eval percent=round(100*errors/total,2)."%"
to this:
| eval percent=round(100*errors/total,2)
And add this to the end of your search.
| eval percent=percent."%"
Oh my God...Im so stupid. Thank you. I cam back to this search after writing it a month ago and forgot I added that for aesthetics. Fresh pair of eyes. You sir, saved my sanity.
http://24.media.tumblr.com/022c89f083711e52d47f5dc75db33db6/tumblr_mocdvvCOSs1srujzdo1_500.gif