Splunk Search

Why is my eval calculation not displaying in table?

demkic
Explorer

Hi all,

I am trying to display a calculation for the failure rate when taking into consideration the volume of all transactions. For some reason the values for the failure_rate are not appearing in my results. I am not able to find the mistake in the search..

base search...
| timechart span=1h count(errorType) as total 
| eval "Date/Time"=strftime('_time', "%A, %B %e, %Y %I:%M %p") 
| append 
    [ base search...
    | timechart span=1h count(success) as alltransactions 
    | eval "Date/Time"=strftime('_time', "%A, %B %e, %Y %I:%M %p")] | eval failure_rate=round(total/alltransactions*100,1) | stats values(failure_rate) as failure_rate values(alltransactions) as alltransactions values(total) as total by "Date/Time" | table "Date/Time" failure_rate alltransactions total

Many thanks!

0 Karma
1 Solution

sundareshr
Legend

When you use append events get added to the end. So in your case, you have events on the top with the total fields and events at the bottom have the alltransactions field. Hence you math doesn't work. Its either total/null OR null/alltransactions, both generating errors. To fix this, you should get rid of the append subsearch. Try this

(base search for error events) OR (base search for success events) | eval errors=if(isnotnull(errorType), 1, 0) | eval success=if(isnotnull(success), 1, 0) | timechart span=1h sum(errors) as total sum(success) as alltransactions | eval failure_rate=round(total/alltransactions*100,1) | | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p") 

View solution in original post

0 Karma

sundareshr
Legend

When you use append events get added to the end. So in your case, you have events on the top with the total fields and events at the bottom have the alltransactions field. Hence you math doesn't work. Its either total/null OR null/alltransactions, both generating errors. To fix this, you should get rid of the append subsearch. Try this

(base search for error events) OR (base search for success events) | eval errors=if(isnotnull(errorType), 1, 0) | eval success=if(isnotnull(success), 1, 0) | timechart span=1h sum(errors) as total sum(success) as alltransactions | eval failure_rate=round(total/alltransactions*100,1) | | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p") 
0 Karma

demkic
Explorer

Hi, thank you for your reply. Your above query is essentially doing the correct calculations. However, the failure rate turns out to be 100% for the entire column. The base search for error events only differs in the part that success=false while the base search for success events will include success=true.

Since the two base queries only differ by that success=true or success=false part, I tried to tweak the query using only 1 base query but applying some additional commands, however now I am getting an error message... Am I on the right track?

(base search for error and success events) | stats count(eval(success="false")) as fail count(eval(success="true")) as approve| eval errors=if(isnotnull(fail), 1, 0) | eval success=if(isnotnull(approve), 1, 0) | timechart span=1h sum(fail) as total sum(approve) as alltransactions | eval failure_rate=round(total/alltransactions*100,1) | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p") 
0 Karma

demkic
Explorer

Actually, I think I got it:

(base query that includes failed and approved transactions) 
| timechart span=1h count(eval(errorType="approved")) as approvals count(eval(errorType)) as AllErrors count(eval(event="transactionCompleted")) as CompletedTransactions 
| eval Failures=AllErrors-approvals 
| eventstats sum(CompletedTransactions) as columntotal
| eval percent_failure=round(Failures*100/columntotal , 1)
| table _time percent_failure | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p") | rename percent_failure as "Failure Rate", _time as "Date/Time"
0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @demkic - Did the answer provided by sundareshr help steer you in the right direction towards a working solution? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...