Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk query  to display % failures

VS0909
Communicator
‎07-19-2021 12:09 AM

Need help with a Splunk query  to display % failures 

% failures = A1/A2 *100

A1= Total number of events returned by the below query:

index="abc"  "searchTermForA1"

 

A2= Total number of events returned by the below query:

index="xyz"  "searchTermForA2"

Please help with the query.

Thanks!

 

Labels (6)
0 Karma
Reply

VS0909
Communicator
‎07-19-2021 02:05 AM

(index="abc" "searchTermForA1") OR (index="xyz" "searchTermForA2")
| stats count(eval(index="abc")) as A1 count(eval(index="xyz")) as A2

 is not giving the correct count for A1 and A2 , when compared to executing index="abc" "searchTermForA1" and   index="xyz" "searchTermForA2" separately.

 

Need help with a Splunk query  to display % failures 

% failures = A1/A2 *100

A1= Total number of events returned by the below query:

index="abc"  "searchTermForA1"

 

A2= Total number of events returned by the below query:

index="xyz"  "searchTermForA2"

Please help with the query.

Thanks!

 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-19-2021 02:12 AM 
(index="abc" "searchTermForA1") OR (index="xyz" "searchTermForA2")
| stats count(eval(index="abc")) as A1 count(eval(index="xyz")) as A2

This should work. Can you please try this?

index="abc" "searchTermForA1" | stats count as A1 | appendcols [ search index="xyz" "searchTermForA2"| stats count as A2]
| eval "% failures" = A1/A2 *100

 

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-19-2021 12:55 AM

@VS0909 

Try something like this.

(index="abc"  "searchTermForA1") OR (index="xyz"  "searchTermForA2")
| stats count(eval(index="abc")) as A1 count(eval(index="xyz")) as A2
| eval "% failures" = A1/A2 *100
0 Karma
Reply

VS0909
Communicator
‎07-19-2021 01:25 AM

@kamlesh_vaghela  Thanks for the reply!

But for "A1= count(eval(index="abc"))" 

My requirement is A1= Total number of events returned by the below query:

index="abc"  "searchTermForA1"

A2= Total number of events returned by the below query:

index="xyz"  "searchTermForA2"

A1  and A2 should include count filter by index and search term.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-19-2021 01:38 AM

@VS0909 

Events are already filtered with

(index="abc"  "searchTermForA1") OR (index="xyz"  "searchTermForA2")

 

So only index filter is enough to identify events,

| stats count(eval(index="abc")) as A1 count(eval(index="xyz")) as A2

 

So just try and let me know if any issue.

Thanks
KV
▄︻̷̿┻̿═━一   ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...