Splunk Search

Timechart % failures every 30 mins from nginx access logs

Path Finder



index=myindex source="/var/log/nginx/access.log" |
  eval status_group=case(status!=200, "fail", status=200, "success") |
  stats count by status_group |
  eventstats sum(count) as total |
  eval percent= round(count*100/total,2) |
  where status_group="fail"



Looking at nginx access logs for a web application.  This query tells me the amount of failures (non 200), total amount of calls (all msgs in log) and the % of failures vs total.  As follows:



What I'd like to do next is timechart these every 30m to see what % of failures I get in 30 min windows but the only attempt where I got close did it as a % of the total calls in the log skewing the result completely.  Basically a row like above but for every 30 min of my search period.  Feel free to rewrite the entire query as I cobbled this together anyway.

Labels (2)
Tags (2)
0 Karma
1 Solution


Try something like this

index=myindex source="/var/log/nginx/access.log" 
| bin _time span=30m
| stats count as total count(eval(status!=200)) as fail by _time
| eval percent= round(fail*100/total,2)

View solution in original post


Try something like this

index=myindex source="/var/log/nginx/access.log" 
| bin _time span=30m
| stats count as total count(eval(status!=200)) as fail by _time
| eval percent= round(fail*100/total,2)

Path Finder

Works perfect, thanks!

0 Karma
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider since, currently there’s no support for email ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...

What’s New With SOAR 6.3

Register here for our Security Edition Tech Talk on Wednesday, October 2 , 2024  |  11AM–12PM PTTune in to see ...