Solved: Timechart % failures every 30 mins from nginx acce...

guywood13 · ‎02-13-2024

index=myindex source="/var/log/nginx/access.log" |
  eval status_group=case(status!=200, "fail", status=200, "success") |
  stats count by status_group |
  eventstats sum(count) as total |
  eval percent= round(count*100/total,2) |
  where status_group="fail"

Looking at nginx access logs for a web application. This query tells me the amount of failures (non 200), total amount of calls (all msgs in log) and the % of failures vs total. As follows:

status_group	count	percent	total
fail	20976	2.00	1046605

What I'd like to do next is timechart these every 30m to see what % of failures I get in 30 min windows but the only attempt where I got close did it as a % of the total calls in the log skewing the result completely. Basically a row like above but for every 30 min of my search period. Feel free to rewrite the entire query as I cobbled this together anyway.

ITWhisperer · ‎02-13-2024

Try something like this

index=myindex source="/var/log/nginx/access.log" 
| bin _time span=30m
| stats count as total count(eval(status!=200)) as fail by _time
| eval percent= round(fail*100/total,2)

View solution in original post

ITWhisperer · ‎02-13-2024

Try something like this

index=myindex source="/var/log/nginx/access.log" 
| bin _time span=30m
| stats count as total count(eval(status!=200)) as fail by _time
| eval percent= round(fail*100/total,2)

guywood13 · ‎02-15-2024

Works perfect, thanks!

Timechart % failures every 30 mins from nginx access logs

stats

timechart

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)