Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Show only those users who exceed percentage of a certain value

plucas_splunk
Splunk Employee
Splunk Employee
‎05-27-2021 09:50 AM

I have a preliminary search of a web-server-like log that looks like:

index=whatever Method=GET
| where Response in (200,404)
| replace 200 with "Hit", 404 with "Miss" in Response

There is also a User field. I want to:

  • Calculate the percentage of misses from the total, e.g., p = misses / (hits + misses), by User.
  • Show the Hits & Misses for only those users where the percentage of misses exceeds some percentage, say 50%.

How can I add to the search to get what I want? Thanks.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-27-2021 10:24 AM 
| makeresults count=10
| streamstats count as row 
| eval user="User_".mvindex(split("ABC",""),row%3)
| eval Response=200+(204*(row%2))
| replace 200 with "Hit", 404 with "Miss" in Response
| stats count(eval(if(Response="Hit",true(),null))) as hits count(eval(if(Response="Miss",true(),null))) as misses by user
| eval percent=100*misses/(hits+misses)
| where percent>=50
0 Karma
Reply

plucas_splunk
Splunk Employee
Splunk Employee
‎05-27-2021 10:41 AM

Could you explain what these lines:

| streamstats count as row 
| eval user="User_".mvindex(split("ABC",""),row%3)
| eval Response=200+(204*(row%2))

do and why they are needed given that I don't care about a 204 value and I already have a User field?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-27-2021 10:47 AM

They generate dummy data - 200+204=404 so every other event is either 200 or 404

They are not needed for your solution, they are just there as a runanywhere example to show you the effect of the other lines.

0 Karma
Reply

plucas_splunk
Splunk Employee
Splunk Employee
‎05-27-2021 10:56 AM

OK, fine.  But when I append your solution to my real search, I just get event rows. I want to see the results like:

UserHitsMissesPercent
bob5338
alice7956

 

ordered by decreasing percentage.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-27-2021 11:01 AM

Try adding

| table user hits misses percent
| sort - percent
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...