Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is my eval calculation not displaying in table...

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

demkic

Explorer

11-30-2016
02:01 PM

Hi all,

I am trying to display a calculation for the failure rate when taking into consideration the volume of all transactions. For some reason the values for the failure_rate are not appearing in my results. I am not able to find the mistake in the search..

```
base search...
| timechart span=1h count(errorType) as total
| eval "Date/Time"=strftime('_time', "%A, %B %e, %Y %I:%M %p")
| append
[ base search...
| timechart span=1h count(success) as alltransactions
| eval "Date/Time"=strftime('_time', "%A, %B %e, %Y %I:%M %p")] | eval failure_rate=round(total/alltransactions*100,1) | stats values(failure_rate) as failure_rate values(alltransactions) as alltransactions values(total) as total by "Date/Time" | table "Date/Time" failure_rate alltransactions total
```

Many thanks!

1 Solution

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

sundareshr

Legend

11-30-2016
02:11 PM

When you use `append`

events get added to the end. So in your case, you have events on the top with the `total`

fields and events at the bottom have the `alltransactions`

field. Hence you math doesn't work. Its either `total/null`

OR `null/alltransactions`

, both generating errors. To fix this, you should get rid of the `append`

subsearch. Try this

```
(base search for error events) OR (base search for success events) | eval errors=if(isnotnull(errorType), 1, 0) | eval success=if(isnotnull(success), 1, 0) | timechart span=1h sum(errors) as total sum(success) as alltransactions | eval failure_rate=round(total/alltransactions*100,1) | | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p")
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Why is my eval calculation not displaying in table?

demkic

Explorer

11-30-2016
02:55 PM

Hi, thank you for your reply. Your above query is essentially doing the correct calculations. However, the failure rate turns out to be 100% for the entire column. The base search for error events only differs in the part that success=false while the base search for success events will include success=true.

Since the two base queries only differ by that success=true or success=false part, I tried to tweak the query using only 1 base query but applying some additional commands, however now I am getting an error message... Am I on the right track?

```
(base search for error and success events) | stats count(eval(success="false")) as fail count(eval(success="true")) as approve| eval errors=if(isnotnull(fail), 1, 0) | eval success=if(isnotnull(approve), 1, 0) | timechart span=1h sum(fail) as total sum(approve) as alltransactions | eval failure_rate=round(total/alltransactions*100,1) | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p")
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Why is my eval calculation not displaying in table?

demkic

Explorer

11-30-2016
03:17 PM

Actually, I think I got it:

```
(base query that includes failed and approved transactions)
| timechart span=1h count(eval(errorType="approved")) as approvals count(eval(errorType)) as AllErrors count(eval(event="transactionCompleted")) as CompletedTransactions
| eval Failures=AllErrors-approvals
| eventstats sum(CompletedTransactions) as columntotal
| eval percent_failure=round(Failures*100/columntotal , 1)
| table _time percent_failure | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p") | rename percent_failure as "Failure Rate", _time as "Date/Time"
```

Highlighted
##

Hi @demkic - Did the answer provided by sundareshr help steer you in the right direction towards a working solution? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Why is my eval calculation not displaying in table?

aaraneta_splunk

Splunk Employee

12-09-2016
02:51 PM