Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timechart with success and failure and failure/success percentage, grouped by Server

pjtbasu
Explorer
‎09-22-2017 02:15 AM

I've two patterns, say like this - "successPattern" and "failurePattern". I want to make a timechart comparing success vs failure and failure percentage, server wise. I've attached the expected output. Here host1, host2 are the servers, available with field name "host"

Could someone please help ?

Preview file
4 KB
0 Karma
Reply

cmerriman
Super Champion
‎09-22-2017 06:48 AM

so you can't have a multi-tiered table, like you show in your example, in Splunk. The closest you can get is to name the columns with host1-failures, host1-success, etc.

something like this might work:

...|timechart span=1m count(successPattern) as success count(failurePattern) as failures by host|foreach failures* [eval failure_perc<<MATCHSTR>>='<<FIELD>>'/('<<FIELD>>'+'success<<MATCHSTR>>')*100]|fields _time *host1 *host2

if your success/failures is in the same field, you'll need to adjust the timechart commands to use something like count(eval(field="successPattern")) as success

0 Karma
Reply

pjtbasu
Explorer
‎09-22-2017 02:05 PM

Not getting fully. What will be at the start, before the time chart pipe ? To be clear, successPattern/failurePattern is not a field name, but rather a generic pattern, they may not even be in same field.

For example successpattern is "functionName status is:0" and failurepattern is "functionname completed with error" . Also the value of host field changes according to the success/failure patterns and it's not limited to host1 and host2, so can't hard-code in the search. I'm trying to get a generic query.

host1-success,host2-success columns are absolutely fine.

Simply my requirement is, "provide server wise failure/success count and failure percentage, where 2 patterns for success and failure will be provided"

0 Karma
Reply

cmerriman
Super Champion
‎09-22-2017 02:11 PM

i would probably create a field called successPattern and one called failurePatten based on what you've outlined. I'm not sure if "funcationName status is:0" is from raw events, but let's say you can use that.

base search|eval successPattern=if(like(_raw,"%functionName status is:0%"),1,null())|eval failurePattern=if(like(_raw,"%functionname completed with error%"),1,null())|timechart span=1m count(successPattern) as success count(failurePattern) as failures by host|foreach failures* [eval failure_perc<<MATCHSTR>>='<<FIELD>>'/('<<FIELD>>'+'success<<MATCHSTR>>')*100]|fields _time *host1 *host2
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...