Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Show only those users who exceed percentage of a certain value

plucas_splunk
Splunk Employee
Splunk Employee
‎05-27-2021 09:50 AM

I have a preliminary search of a web-server-like log that looks like:

index=whatever Method=GET
| where Response in (200,404)
| replace 200 with "Hit", 404 with "Miss" in Response

There is also a User field. I want to:

  • Calculate the percentage of misses from the total, e.g., p = misses / (hits + misses), by User.
  • Show the Hits & Misses for only those users where the percentage of misses exceeds some percentage, say 50%.

How can I add to the search to get what I want? Thanks.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-27-2021 10:24 AM 
| makeresults count=10
| streamstats count as row 
| eval user="User_".mvindex(split("ABC",""),row%3)
| eval Response=200+(204*(row%2))
| replace 200 with "Hit", 404 with "Miss" in Response
| stats count(eval(if(Response="Hit",true(),null))) as hits count(eval(if(Response="Miss",true(),null))) as misses by user
| eval percent=100*misses/(hits+misses)
| where percent>=50
0 Karma
Reply

plucas_splunk
Splunk Employee
Splunk Employee
‎05-27-2021 10:41 AM

Could you explain what these lines:

| streamstats count as row 
| eval user="User_".mvindex(split("ABC",""),row%3)
| eval Response=200+(204*(row%2))

do and why they are needed given that I don't care about a 204 value and I already have a User field?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-27-2021 10:47 AM

They generate dummy data - 200+204=404 so every other event is either 200 or 404

They are not needed for your solution, they are just there as a runanywhere example to show you the effect of the other lines.

0 Karma
Reply

plucas_splunk
Splunk Employee
Splunk Employee
‎05-27-2021 10:56 AM

OK, fine.  But when I append your solution to my real search, I just get event rows. I want to see the results like:

UserHitsMissesPercent
bob5338
alice7956

 

ordered by decreasing percentage.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-27-2021 11:01 AM

Try adding

| table user hits misses percent
| sort - percent
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...