Splunk Search

Understanding bins and spans

New Member

here is a query that is supposed to calculate a % of failed operations over a period of time (A message 'end' is sent with a status that could be 'failed'). Please excuse incorrect or non technical terminology, I'm a very new to this. I am trying to make sure I understand the meaning of bin and span in this particular search. Does this mean that I'm putting all of my events into chunks by 1 hour (so all events from 11am until noon are in one bucket, all events from noon to 1pm are in the next bucket, etc). Then I calculate the total number of events per each bucket (count as complete), calculate the total number of events per each bucket where status=failed (eval(status="failed")). Then for the timechart command, I add up all these totals from each bucket over 1 day and calculate my percentage. Is that a correct understanding? Thank you!

For example, if my data is like this:
event 1:
timestamp: June 11, 2018 9am
message: end
status: success
event 2:
timestamp: June 11, 2018 9:15am
message: end
status: failed

event 3:
timestamp: June 11, 2018 10am
message: end
status: success
event 3:
timestamp: June 11, 2018 10:15am
message: end
status: success

Then my failure rate % is (1+0)/(2+2)*100 = 25%,

index="index" "message=end" 
          | bin span=1h _time 
          | stats count as complete,
            count(eval(status="failed")) as failed by _time
          | timechart span=1d eval(100*sum(eval(failed))/sum(eval(complete))) as "Failed %"
0 Karma


look like you are making thing very difficult.
Please use the below query. it will work

index="index" "message: end"
| timechart span=1h count as complete
| appendcols [ search index="index" "message: end" "status: failed"
| timechart span=1h count as failed ]
| eval percentage=failed*100/complete as "Failed %"

Please let me know if any issues

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!