Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Support on SPL Query

dinesh001kumar
Explorer
3 weeks ago

I need to display the Success percentage for each service day wise.

I am doing stats and then table getting output as below.

Service NameDateSuccess(%)
Service 129-12-2025100
Service 130-12-202599
Service 131-12-202598
Service 101-01-202695
Service 102-01-202694
Service 229-12-202592
Service 230-12-2025100
Service 231-12-202589
Service 201-01-202698
Service 202-01-202695
Service 329-12-202594
Service 330-12-202592
Service 331-12-2025100
Service 301-01-202689
Service 302-01-202699

 

But i wanted output as below:

Excepted Output:

Service Name29-12-202530-12-202531-12-202501-01-202602-01-2026
Service 110099989594
Service 292100899895
Service 394921008999

 

 

But when i use xyseries command getting result as below which getting 1st in 1st column and last month data getting at the last.

Service Name01-01-202602-01-202629-12-202530-12-202531-12-2025
Service 195941009998
Service 298959210089
Service 389999492100

 

If I use transpose command getting below format.

29-12-202530-12-202531-12-202501-01-202602-01-2026
Service 1Service 1Service 1Service 1Service 1
10099989594

so on..

 

Please help on this request.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @dinesh001kumar ,

if it's acceptable for you, the easiest solution is to use a different date format: yyyy-mm-dd instead of dd-mm-yyyy, because in this way dates are automatically sorted.

If it isn't possible you should pass throgh this format to sort the results and then display the output in the requested format.

Could you share your SPL search?

Supponing that Your SPL is something like this, you could try something like the following:

<your_search>
| eval date=strftime(strptime(your_date,"%d-%m-%Y"),"Y-%m-%d")
| chart max(success) AS success OVER Service_Name BY date

Ciao.

Giuseppe

0 Karma
Reply

dinesh001kumar
Explorer
2 weeks ago

Hi @gcusello ,

 

Thanks for quick response below is my SPL query, the concern her was they wanted to see the date format in "%d-%b-%Y" not in "%Y-%b-%d".

index="main"
| eval txstatus=case(status=200,"Success",status >200 AND status <500,"Business_Fail",status >=500,"System_Fail")
| eval success_pass_count = Success + Business_Fail
| eval svc_nm=case(match(api_name,"login"),"Login",match(api_name,"Prepaid"),"Prepaid Registration",match(api_name,"Postpaid"),"Postpaid Registration",true(),"unKnown")
| bin span=1d _time
| stats count as total sum(success_pass_count) as Success_pass_count
by svc_nm,_time
| eval Success=round((Success_pass_count/total) * 100,2)
| eval Date = strftime(_time, "%Y-%b-%d")
| eval metric="Response", value=Success, col=Date
| xyseries svc_nm,col value
| foreach "*-*-*" [ eval <<FIELD>> = if(isnull('<<FIELD>>'), "- ", round('<<FIELD>>',2)) ]
|rename svc_nm AS "Service Name"

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @dinesh001kumar ,

my hint is to guide your customer to the easiste solution, anyway, please try this following my approach:

index="main"
| eval txstatus=case(status=200,"Success",status >200 AND status <500,"Business_Fail",status >=500,"System_Fail")
| eval success_pass_count = Success + Business_Fail
| eval svc_nm=case(match(api_name,"login"),"Login",match(api_name,"Prepaid"),"Prepaid Registration",match(api_name,"Postpaid"),"Postpaid Registration",true(),"unKnown")
| bin span=1d _time
| stats count as total sum(success_pass_count) as Success_pass_count
by svc_nm,_time
| eval Success=round((Success_pass_count/total) * 100,2)
| eval Date = strftime(_time, "%Y-%b-%d")
| chart max(Success) AS Success OVER Date BY svc_nm
| eval Date=substr(Date,9,2)."-".substr(Date,6,2)."-".substr(Date,1,4)
| transpose header_field=Date
|rename svc_nm AS "Service Name"

 Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

Try something like this

index="main"
| eval txstatus=case(status=200,"Success",status >200 AND status <500,"Business_Fail",status >=500,"System_Fail")
| eval success_pass_count = Success + Business_Fail
| eval svc_nm=case(match(api_name,"login"),"Login",match(api_name,"Prepaid"),"Prepaid Registration",match(api_name,"Postpaid"),"Postpaid Registration",true(),"unKnown")
| bin span=1d _time
| stats count as total sum(success_pass_count) as Success_pass_count
by svc_nm,_time
| eval Success=round((Success_pass_count/total) * 100,2)
| xyseries svc_nm _time Success
| transpose 0 header_field=svc_nm column_name=date
| eval date=strftime(date,"%d-%b-%Y")
| transpose 0 header_field=date column_name="Service Name"
0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...