Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Timechart % failures every 30 mins from nginx access logs

guywood13
Path Finder
‎02-13-2024 07:14 AM

 

 

index=myindex source="/var/log/nginx/access.log" |
  eval status_group=case(status!=200, "fail", status=200, "success") |
  stats count by status_group |
  eventstats sum(count) as total |
  eval percent= round(count*100/total,2) |
  where status_group="fail"

 

 

Looking at nginx access logs for a web application.  This query tells me the amount of failures (non 200), total amount of calls (all msgs in log) and the % of failures vs total.  As follows:

status_groupcountpercenttotal
fail209762.001046605

 

What I'd like to do next is timechart these every 30m to see what % of failures I get in 30 min windows but the only attempt where I got close did it as a % of the total calls in the log skewing the result completely.  Basically a row like above but for every 30 min of my search period.  Feel free to rewrite the entire query as I cobbled this together anyway.

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-13-2024 08:45 AM

Try something like this

index=myindex source="/var/log/nginx/access.log" 
| bin _time span=30m
| stats count as total count(eval(status!=200)) as fail by _time
| eval percent= round(fail*100/total,2)

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-13-2024 08:45 AM

Try something like this

index=myindex source="/var/log/nginx/access.log" 
| bin _time span=30m
| stats count as total count(eval(status!=200)) as fail by _time
| eval percent= round(fail*100/total,2)
Reply
Solved! Jump to solution

guywood13
Path Finder
‎02-15-2024 02:51 AM

Works perfect, thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...