Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use results of search field value to do subsearch and calculate success percentage

RobKelley06
Path Finder
‎06-16-2021 10:02 AM

I am attempting to get the success counts by using the results of a search of requests and checking each result for it's response to see if it was a success.
This initial search will save the count as Total.
The initial search will have results similar to:
20210616:12:28:49.356;123456;12345;SRQ;

I need to extract every thing in the position as "123456;12345" and do a subsearch on each and if there is a result, add 1 to the success count.

Then i will display the percent of successes based on the total requests.  I have tried:

index=soe host=dc1 sourcetype="request" source="/vds_request_*.log" "SRQ"
| stats count as Total
| eval successes = 0
| rex field=_raw "(([^;]*);)(?<id>\d+;\d+);"
| map search="index=soe host=dc1 sourcetype='request' source='/vds_request_*.log' 'SRS;0;' id = $id$"
| stats count as success
| eval percent = round(success / Total * 100, 3)
| table percent


I am getting the error Error in 'map': Did not find value for required attribute 'id'.  I am new to using map so I know that I'm using it wrong, I just can't see to find what I'm trying to do anywhere.

Labels (1)
Labels
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-16-2021 11:18 AM

@RobKelley06 

After stats command _raw is not accessible. So rex command will not work and id field will not be extracted. The reason for error is map is the same.

BTW, Can you please try this?
 

index=soe host=dc1 sourcetype="request" source="/vds_request_*.log" "SRQ" 
| rex field=_raw "(([^;]*);)(?<id>\d+;\d+);" 
| stats sum(eval(if(isnotnull(id),1,0))) as cnt count as Total | eval percent=round(cnt*100/Total,3)

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

RobKelley06
Path Finder
‎06-16-2021 11:58 AM

I don't think that works exactly, it doesn't do the 2nd search for the corresponding "SRS" respond to the "SRQ" Request

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2021 11:01 AM 
index=soe host=dc1 sourcetype="request" source="/vds_request_*.log" "SRQ" OR "SRS"
| eval parts=split(_raw,";") 
| eval id=mvindex(parts,1).";".mvindex(parts,2)
| eval type=mvindex(parts,3)
| eval success=mvindex(parts,4)
| eval success=if(success=0,"success",null)
| stats values(success) as success by id
| stats count as total count(success) as successes
| eval percent=round(100*successes/total,3)
| table percent

In this instance, the problem with the map command is using it in the first place 😀 Assuming your SRS logs follow the same format as SRQ

0 Karma
Reply

RobKelley06
Path Finder
‎06-16-2021 12:02 PM

This seems to give the total success % but if i try to refine the search to add (ou="aems" AND "SRQ")

such as:

 index=soe host=dc1 sourcetype="request" source="/vds_request_*.log" (ou="aems" AND "SRQ") OR "SRS"



It will still give the total request % and not just those that the SRQ results are looking for.  I need to match the id from SRQ to an id from SRS and only include those results.  Also, the total results should only include SRQ total count.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...