Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

calculate percentage of a each ErrorCode field by servername

indeed_2000
Motivator
‎10-06-2021 05:53 AM

Hi

how can I calculate percentage of a each ErrorCode field by servername?

here is the spl:

index="my_index"
| rex field=source "\/log\.(?<servername>\w+)."
| rex "Err\-ErrorCode\[(?<ErrorCode>\d+)"

expected output:

Servername     ErrorCode      Percentage 

server1             404                    50%

                             500                    40%

                             200                    10%

server2             500                    50%

                             404                    45%

                             200                    5%

 

any idea?

 Thanks 

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-06-2021 06:29 AM 
index="my_index"
| rex field=source "\/log\.(?<servername>\w+)."
| rex "Err\-ErrorCode\[(?<ErrorCode>\d+)"
| eventstats count as servercount by servername
| stats count as errorcount values(servercount) as servercount by servername ErrorCode
| eval Percentage=round(100*errorcount/servercount,2)
| table servername ErrorCode Percentage

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-06-2021 06:29 AM 
index="my_index"
| rex field=source "\/log\.(?<servername>\w+)."
| rex "Err\-ErrorCode\[(?<ErrorCode>\d+)"
| eventstats count as servercount by servername
| stats count as errorcount values(servercount) as servercount by servername ErrorCode
| eval Percentage=round(100*errorcount/servercount,2)
| table servername ErrorCode Percentage
Reply
Solved! Jump to solution

indeed_2000
Motivator
‎10-06-2021 07:02 AM

Thank you for answer, is it possible to add count, like below?

Servername     ErrorCode      Percentage      count

server1                 404                    50%                       456

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-06-2021 07:08 AM

Just add it to the table command

| table servername ErrorCode Percentage errorcount
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...