Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart with Failurepercentage and appendcols

yuvrajsharma_13
Explorer
‎08-29-2023 07:56 AM

I am using below query to get search result and calculate the failure percentage but not getting the expected result.

 

index=dl* ("Error_MongoDB") | timechart span 1d count as Failure | appendcols [search index=dl* ("inserted Record") | timechart span=1d count as Success | eval (FailurePercentage = Failure/Sucess)*100 | field _time,Failure,Sucess,FailurePercentage

 

I am getting all the values except FailurePercentage. What could be the reason ?

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-30-2023 04:04 PM

So, try the suggestion - you only need the single search as I posted earlier, but with your updated search it should be like this

index=dl* ("Error_MongoDB") OR ("Record_Inserted") 
| eval Status=if(match(_raw, "Error_MongoDB"), "Failure", "Success")
| rename msg.attribute.ticketId as ticketId
| timechart span=1d dc(ticketId) by Status 
| eval FailurePercentage = (Failure/Success)*100 
| fillnull FailurePercentage

You don't need to use all the fields/table commands - the timechart will remove all the unnecessary fields anyway

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-29-2023 04:46 PM

There are lots of errors in that query if cut/pasted to a Splunk search, but if you are not getting FailurePercentage, that's because the statement

| eval (FailurePercentage = Failure/Sucess)*100

is not a valid Splunk eval statement and Sucess is also spelt incorrectly compared to the calculation in your stats command

Note that your approach to appendcols if not a good way to approach this problem and can be done more efficiently like this

index=dl* ("Error_MongoDB") OR ("inserted Record") 
| eval Status=if(match(_raw, "Error_MongoDB"), "Failure", "Success")
| timechart span=1d count as Total by Status 
| eval FailurePercentage = (Failure/Success)*100 
| fillnull FailurePercentage

so you don't need a subsearch and can do it in one timechart and the fillnull will take care if the value of Success is 0

Note that the eval Status line may be improved if you have a field that can indicate success/failure better than by matching _raw

0 Karma
Reply
Solved! Jump to solution

yuvrajsharma_13
Explorer
‎08-30-2023 02:36 PM

Thank you @bowesmana for quick response. I am writing down the exact query here.

I have to combine both the queries to get Failure %  using timechart.

 

Query 1 ( Success ) :

index=dl* ("Record_Inserted")  | fields msg.attribute.ticketId

| rename msg.attribute.ticketId as ticketId

| table ticketId,_time

| timechart span=1d dc(ticketId)

 

Query 2 ( Failure ) :

index=dl* ("Error_MongoDB")  | fields msg.attribute.ticketId | rename msg.attribute.ticketId as ticketId

| table ticketId,_time

| timechart span=1d dc(ticketId)

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-30-2023 04:04 PM

So, try the suggestion - you only need the single search as I posted earlier, but with your updated search it should be like this

index=dl* ("Error_MongoDB") OR ("Record_Inserted") 
| eval Status=if(match(_raw, "Error_MongoDB"), "Failure", "Success")
| rename msg.attribute.ticketId as ticketId
| timechart span=1d dc(ticketId) by Status 
| eval FailurePercentage = (Failure/Success)*100 
| fillnull FailurePercentage

You don't need to use all the fields/table commands - the timechart will remove all the unnecessary fields anyway

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...