Hi all,
I am trying to display a calculation for the failure rate when taking into consideration the volume of all transactions. For some reason the values for the failure_rate are not appearing in my results. I am not able to find the mistake in the search..
base search...
| timechart span=1h count(errorType) as total
| eval "Date/Time"=strftime('_time', "%A, %B %e, %Y %I:%M %p")
| append
[ base search...
| timechart span=1h count(success) as alltransactions
| eval "Date/Time"=strftime('_time', "%A, %B %e, %Y %I:%M %p")] | eval failure_rate=round(total/alltransactions*100,1) | stats values(failure_rate) as failure_rate values(alltransactions) as alltransactions values(total) as total by "Date/Time" | table "Date/Time" failure_rate alltransactions total
Many thanks!
When you use append
events get added to the end. So in your case, you have events on the top with the total
fields and events at the bottom have the alltransactions
field. Hence you math doesn't work. Its either total/null
OR null/alltransactions
, both generating errors. To fix this, you should get rid of the append
subsearch. Try this
(base search for error events) OR (base search for success events) | eval errors=if(isnotnull(errorType), 1, 0) | eval success=if(isnotnull(success), 1, 0) | timechart span=1h sum(errors) as total sum(success) as alltransactions | eval failure_rate=round(total/alltransactions*100,1) | | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p")
When you use append
events get added to the end. So in your case, you have events on the top with the total
fields and events at the bottom have the alltransactions
field. Hence you math doesn't work. Its either total/null
OR null/alltransactions
, both generating errors. To fix this, you should get rid of the append
subsearch. Try this
(base search for error events) OR (base search for success events) | eval errors=if(isnotnull(errorType), 1, 0) | eval success=if(isnotnull(success), 1, 0) | timechart span=1h sum(errors) as total sum(success) as alltransactions | eval failure_rate=round(total/alltransactions*100,1) | | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p")
Hi, thank you for your reply. Your above query is essentially doing the correct calculations. However, the failure rate turns out to be 100% for the entire column. The base search for error events only differs in the part that success=false while the base search for success events will include success=true.
Since the two base queries only differ by that success=true or success=false part, I tried to tweak the query using only 1 base query but applying some additional commands, however now I am getting an error message... Am I on the right track?
(base search for error and success events) | stats count(eval(success="false")) as fail count(eval(success="true")) as approve| eval errors=if(isnotnull(fail), 1, 0) | eval success=if(isnotnull(approve), 1, 0) | timechart span=1h sum(fail) as total sum(approve) as alltransactions | eval failure_rate=round(total/alltransactions*100,1) | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p")
Actually, I think I got it:
(base query that includes failed and approved transactions)
| timechart span=1h count(eval(errorType="approved")) as approvals count(eval(errorType)) as AllErrors count(eval(event="transactionCompleted")) as CompletedTransactions
| eval Failures=AllErrors-approvals
| eventstats sum(CompletedTransactions) as columntotal
| eval percent_failure=round(Failures*100/columntotal , 1)
| table _time percent_failure | eval _time=strftime('_time', "%A, %B %e, %Y %I:%M %p") | rename percent_failure as "Failure Rate", _time as "Date/Time"
Hi @demkic - Did the answer provided by sundareshr help steer you in the right direction towards a working solution? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!