Splunk Search

Show only those users who exceed percentage of a certain value

plucas_splunk
Splunk Employee
Splunk Employee

I have a preliminary search of a web-server-like log that looks like:

index=whatever Method=GET
| where Response in (200,404)
| replace 200 with "Hit", 404 with "Miss" in Response

There is also a User field. I want to:

  • Calculate the percentage of misses from the total, e.g., p = misses / (hits + misses), by User.
  • Show the Hits & Misses for only those users where the percentage of misses exceeds some percentage, say 50%.

How can I add to the search to get what I want? Thanks.

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults count=10
| streamstats count as row 
| eval user="User_".mvindex(split("ABC",""),row%3)
| eval Response=200+(204*(row%2))
| replace 200 with "Hit", 404 with "Miss" in Response
| stats count(eval(if(Response="Hit",true(),null))) as hits count(eval(if(Response="Miss",true(),null))) as misses by user
| eval percent=100*misses/(hits+misses)
| where percent>=50
0 Karma

plucas_splunk
Splunk Employee
Splunk Employee

Could you explain what these lines:

| streamstats count as row 
| eval user="User_".mvindex(split("ABC",""),row%3)
| eval Response=200+(204*(row%2))

do and why they are needed given that I don't care about a 204 value and I already have a User field?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

They generate dummy data - 200+204=404 so every other event is either 200 or 404

They are not needed for your solution, they are just there as a runanywhere example to show you the effect of the other lines.

0 Karma

plucas_splunk
Splunk Employee
Splunk Employee

OK, fine.  But when I append your solution to my real search, I just get event rows. I want to see the results like:

UserHitsMissesPercent
bob5338
alice7956

 

ordered by decreasing percentage.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try adding

| table user hits misses percent
| sort - percent
0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...