Splunk Search

Timechart with success and failure and failure/success percentage, grouped by Server

pjtbasu
Explorer

I've two patterns, say like this - "successPattern" and "failurePattern". I want to make a timechart comparing success vs failure and failure percentage, server wise. I've attached the expected output. Here host1, host2 are the servers, available with field name "host"

Could someone please help ?

0 Karma

cmerriman
Super Champion

so you can't have a multi-tiered table, like you show in your example, in Splunk. The closest you can get is to name the columns with host1-failures, host1-success, etc.

something like this might work:

...|timechart span=1m count(successPattern) as success count(failurePattern) as failures by host|foreach failures* [eval failure_perc<<MATCHSTR>>='<<FIELD>>'/('<<FIELD>>'+'success<<MATCHSTR>>')*100]|fields _time *host1 *host2

if your success/failures is in the same field, you'll need to adjust the timechart commands to use something like count(eval(field="successPattern")) as success

0 Karma

pjtbasu
Explorer

Not getting fully. What will be at the start, before the time chart pipe ? To be clear, successPattern/failurePattern is not a field name, but rather a generic pattern, they may not even be in same field.

For example successpattern is "functionName status is:0" and failurepattern is "functionname completed with error" . Also the value of host field changes according to the success/failure patterns and it's not limited to host1 and host2, so can't hard-code in the search. I'm trying to get a generic query.

host1-success,host2-success columns are absolutely fine.

Simply my requirement is, "provide server wise failure/success count and failure percentage, where 2 patterns for success and failure will be provided"

0 Karma

cmerriman
Super Champion

i would probably create a field called successPattern and one called failurePatten based on what you've outlined. I'm not sure if "funcationName status is:0" is from raw events, but let's say you can use that.

base search|eval successPattern=if(like(_raw,"%functionName status is:0%"),1,null())|eval failurePattern=if(like(_raw,"%functionname completed with error%"),1,null())|timechart span=1m count(successPattern) as success count(failurePattern) as failures by host|foreach failures* [eval failure_perc<<MATCHSTR>>='<<FIELD>>'/('<<FIELD>>'+'success<<MATCHSTR>>')*100]|fields _time *host1 *host2
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...