Solved: Timechart % failures every 30 mins from nginx acce...

guywood13 · ‎02-13-2024

index=myindex source="/var/log/nginx/access.log" |
  eval status_group=case(status!=200, "fail", status=200, "success") |
  stats count by status_group |
  eventstats sum(count) as total |
  eval percent= round(count*100/total,2) |
  where status_group="fail"

Looking at nginx access logs for a web application. This query tells me the amount of failures (non 200), total amount of calls (all msgs in log) and the % of failures vs total. As follows:

status_group	count	percent	total
fail	20976	2.00	1046605

What I'd like to do next is timechart these every 30m to see what % of failures I get in 30 min windows but the only attempt where I got close did it as a % of the total calls in the log skewing the result completely. Basically a row like above but for every 30 min of my search period. Feel free to rewrite the entire query as I cobbled this together anyway.

ITWhisperer · ‎02-13-2024

Try something like this

index=myindex source="/var/log/nginx/access.log" 
| bin _time span=30m
| stats count as total count(eval(status!=200)) as fail by _time
| eval percent= round(fail*100/total,2)

View solution in original post

ITWhisperer · ‎02-13-2024

Try something like this

index=myindex source="/var/log/nginx/access.log" 
| bin _time span=30m
| stats count as total count(eval(status!=200)) as fail by _time
| eval percent= round(fail*100/total,2)

guywood13 · ‎02-15-2024

Works perfect, thanks!

Timechart % failures every 30 mins from nginx access logs

stats

timechart

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake