Splunk Search

Timechart % failures every 30 mins from nginx access logs

guywood13
Path Finder

 

 

index=myindex source="/var/log/nginx/access.log" |
  eval status_group=case(status!=200, "fail", status=200, "success") |
  stats count by status_group |
  eventstats sum(count) as total |
  eval percent= round(count*100/total,2) |
  where status_group="fail"

 

 

Looking at nginx access logs for a web application.  This query tells me the amount of failures (non 200), total amount of calls (all msgs in log) and the % of failures vs total.  As follows:

status_groupcountpercenttotal
fail209762.001046605

 

What I'd like to do next is timechart these every 30m to see what % of failures I get in 30 min windows but the only attempt where I got close did it as a % of the total calls in the log skewing the result completely.  Basically a row like above but for every 30 min of my search period.  Feel free to rewrite the entire query as I cobbled this together anyway.

Labels (2)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=myindex source="/var/log/nginx/access.log" 
| bin _time span=30m
| stats count as total count(eval(status!=200)) as fail by _time
| eval percent= round(fail*100/total,2)

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=myindex source="/var/log/nginx/access.log" 
| bin _time span=30m
| stats count as total count(eval(status!=200)) as fail by _time
| eval percent= round(fail*100/total,2)

guywood13
Path Finder

Works perfect, thanks!

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...