Splunk Search

Success vs Entry (Effectiveness interval problem)

cttorres
Explorer

Hi!

I'm having trouble creating effectiveness indicators (focused on the end user) because some cases begin at the end of and interval (minute 59 of the 1 hour interval #1) and those cases end successfully inside the next interval (1 hour interval #2). This means that sometimes the success cases in the interval # 2 might be 120 and the entries of the same interval might be 100, giving us a 120% effectiveness.

I know that some cases the entries of the interval #2 will also end up in the interval # 3, and so on. But even so I can't trust this number.

Using join will allow me to be certain on the cases that starts and end inside the interval, but I will be blind on the cases that end up successfully on the next interval, so I will have a different problem.

Any ideas?

Thank's for your time!

Tags (1)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Doing this properly will depend on defining what you mean by effectiveness.

YOU need to make the data answer the exact question you are asking.

It sounds like you are asking, "of the cases that started during this interval, what percentage were completed within 60 minutes?"

That number, calculated properly, cannot ever be over 100%.

To answer that question, try something like this...

index=A host=B script_name=C
| eval entry_time=if(description="Entry",_time,null())
| eval success_time=if(description="Success",_time,null())
| stats min(entry_time) as entry_time max(success_time) as success_time by sid
| eval duration = success_time - entry_time
| where isnotnull(duration) 
| eval success=if(duration<=3600,100,0)
| bin entry_time as _time span=1h
| stats avg(success) as effectiveness by _time

Above code assumes that sid is the identifying number of a case, and that cases that have a beginning but no end or vice versa are to be ignored.

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

Doing this properly will depend on defining what you mean by effectiveness.

YOU need to make the data answer the exact question you are asking.

It sounds like you are asking, "of the cases that started during this interval, what percentage were completed within 60 minutes?"

That number, calculated properly, cannot ever be over 100%.

To answer that question, try something like this...

index=A host=B script_name=C
| eval entry_time=if(description="Entry",_time,null())
| eval success_time=if(description="Success",_time,null())
| stats min(entry_time) as entry_time max(success_time) as success_time by sid
| eval duration = success_time - entry_time
| where isnotnull(duration) 
| eval success=if(duration<=3600,100,0)
| bin entry_time as _time span=1h
| stats avg(success) as effectiveness by _time

Above code assumes that sid is the identifying number of a case, and that cases that have a beginning but no end or vice versa are to be ignored.

niketn
Legend

There are several ways to correlate events and find out interval, however, you will have to provide us with mock data with dummy (if not actual) field names. Also you will have to provide us with your current query so that community can assist you better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

cttorres
Explorer

Thank you for the feedback.

It's like this:

index=A host=B script_name=C
| dedup sid
| timechart span=30m count(eval(description="Entry")) as entries count(eval(description="Success")) as success
| eval effectiveness=round(100*success/(entries),2)
| fields _time effectiveness

0 Karma

niketn
Legend

You will still need to provide mock data with sid and desciption so that your use case is clear. Also can you explain effectiveness calculation?

Seems like all your data will start with description=Entry which may lead to description=Successful or not.

index=A host=B script_name=C (description="Entry" OR description="Success") sid=*
| stats count as eventcount first(_time) as EntryTime last(_time) as SuccessTime values(description) as description by sid
| search eventcount>1 description="Entry" description="Success"
| eval duration=SuccessTime-EntryTime 
| eval _time=EntryTime 
| fields - SuccessTime
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...