Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Show error details when errors 10% higher than previous 30 mins?

MikeyD100
Explorer
‎11-22-2022 12:02 PM

Hi, 

I want to display the error details in the last 30 mins, so they can be investigated, when the amount of errors has increased by 10% from the previous 30mins. 

Search 1
This is the search for the data I want to show in the results 

 

index=myindex source=mysource sourcetype=mysourcetype FailureReason IN ("*Error1*", "*Error2*", "*Error3*")
| table ReqReceivedTimestamp, APIName, ReqUrl, ShopName, ResponseCode, FailureReason, FailureServiceCalloutResponse

 


Search 2
This is the search I have to work out if there are over 10% compared to the last 30 mins

 

index=myindex source=mysource sourcetype=mysourcetype FailureReason IN ("*Error1*", "*Error2*", "*Error3*")
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval difference=server-last30
| eval percentage_change=round((difference/last30)*100,2)
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.10, "True", null())
| where AboveThreshold = "True"
| table percentage_change

 


I want to understand what is the best way to get these 2 searches combined and show the table from Search 1 when  Search 2 >10%

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-23-2022 12:50 AM

The second search is much too complicated for the task at hand.  Combine the two with an extremely literal interpretation of your requirement.

index=myindex source=mysource sourcetype=mysourcetype FailureReason IN ("*Error1*", "*Error2*", "*Error3*") earliest=-60m
| eventstats count sum(eval(if(_time < relative_time(now(), "-30m"), 1, 0))) as previous_30m
| eval show_detail = if(count > previous_30m * 2.1, "yes", null()) ``` current > 1.1 * previous ==> (current + previous) > 2.1 * previous ```
| where isnotnull(show_detail) AND _time > relative_time(now(), "-30m") ``` only show current period ```
| table ReqReceivedTimestamp, APIName, ReqUrl, ShopName, ResponseCode, FailureReason, FailureServiceCalloutResponse

 

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-23-2022 12:50 AM

The second search is much too complicated for the task at hand.  Combine the two with an extremely literal interpretation of your requirement.

index=myindex source=mysource sourcetype=mysourcetype FailureReason IN ("*Error1*", "*Error2*", "*Error3*") earliest=-60m
| eventstats count sum(eval(if(_time < relative_time(now(), "-30m"), 1, 0))) as previous_30m
| eval show_detail = if(count > previous_30m * 2.1, "yes", null()) ``` current > 1.1 * previous ==> (current + previous) > 2.1 * previous ```
| where isnotnull(show_detail) AND _time > relative_time(now(), "-30m") ``` only show current period ```
| table ReqReceivedTimestamp, APIName, ReqUrl, ShopName, ResponseCode, FailureReason, FailureServiceCalloutResponse

 

Reply
Solved! Jump to solution

MikeyD100
Explorer
‎11-23-2022 06:34 AM

Hi @yuanliu thanks, this example is much more straight forward. I have used that as guide and changed my code to meet my needs and this seems to work well now

 

index=myindex source=mysource sourcetype=mysourcetype FailureReason IN ("*Error1*", "*Error2*", "*Error3*") earliest=-60m
| eventstats count sum(eval(if(_time > relative_time(now(), "-30m"), 1, 0))) as current_30m  ```Get current```
| eventstats count sum(eval(if(_time < relative_time(now(), "-30m"), 1, 0))) as previous_30m ```Get previous```
| eval show_detail = if(round(((current_30m-previous_30m)/previous_30m),4)>0.1, "True", null()) ```Get percentage change compared to previous 30 mins```
| where isnotnull(show_detail) AND _time > relative_time(now(), "-30m")
| table ReqReceivedTimestamp, APIName, ReqUrl, ShopName, ResponseCode, FailureReason, FailureServiceCalloutResponse

 

 

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎11-23-2022 07:15 AM

@MikeyD100 - Kindly accept the answer that helped you resolve your query by clicking on "Accept as Solution", this helps other users in the community.

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎11-22-2022 10:12 PM

@MikeyD100 - Sorry I haven't looked at your second search closely. I'm expecting that is working as you need and give a solution to combine these searches.

index=myindex source=mysource sourcetype=mysourcetype FailureReason IN ("*Error1*", "*Error2*", "*Error3*")

| search [index=myindex source=mysource sourcetype=mysourcetype FailureReason IN ("*Error1*", "*Error2*", "*Error3*")
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval difference=server-last30
| eval percentage_change=round((difference/last30)*100,2)
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.10, "True", null())
| eval sourcetype=if(AboveThreshold="True", "SEARCH_SOMETHING_RANDOM_RANDOM_RANDOM", "*")
| table sourcetype]

| table ReqReceivedTimestamp, APIName, ReqUrl, ShopName, ResponseCode, FailureReason, FailureServiceCalloutResponse

 

I hope this works as you expects.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...