Splunk Search

Search Query Help =(

dmw7752
Engager

I am trying to monitor the percentages of 500's per endpoint of my api. I currently am returning all of the information and want to only show results if the percentage goes over 5%. (this way I can alert whenever the report is ran and there are greater than 0 results.

sourcetype=My_Api_Access_Log

| eval path=My_Path

| eval endpoint = method." ".path

| eval iserror=if(status=500,1,0)

| eval err_user=if(iserror==1, user_id, null())

| stats sum(iserror) as errors, count as total, dc(err_user) as users by endpoint

| where errors != 0

| eval percent=round(100*errors/total,2)."%"

| fields endpoint, errors, total, percent, users

| sort -percent

This is working great, but when I add:

| where percent > 5

I get no results even though I know I have endpoints over 5% error rates.
Any ideas?

Tags (5)
0 Karma
1 Solution

Gilberto_Castil
Splunk Employee
Splunk Employee

When you append the symbol "%" to your percent field, you change it's type from numerical to string. Comparing a string to a numeric value will render no results. This akin to comparing "5%" > 5.

Change

 | eval percent=round(100*errors/total,2)."%" 

to this:

| eval percent=round(100*errors/total,2)

And add this to the end of your search.

| eval percent=percent."%"

View solution in original post

Gilberto_Castil
Splunk Employee
Splunk Employee

When you append the symbol "%" to your percent field, you change it's type from numerical to string. Comparing a string to a numeric value will render no results. This akin to comparing "5%" > 5.

Change

 | eval percent=round(100*errors/total,2)."%" 

to this:

| eval percent=round(100*errors/total,2)

And add this to the end of your search.

| eval percent=percent."%"

dmw7752
Engager

Oh my God...Im so stupid. Thank you. I cam back to this search after writing it a month ago and forgot I added that for aesthetics. Fresh pair of eyes. You sir, saved my sanity.

http://24.media.tumblr.com/022c89f083711e52d47f5dc75db33db6/tumblr_mocdvvCOSs1srujzdo1_500.gif

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...