Splunk Search

creating a report that shows indexedtime vs logged time for each hour in percentage.

mrtolu6
Path Finder

I want to create a chart separated by hours (24hours) that shows the number of data that took more than 2 mins to be indexed (indextime-time) and converted into percent. The percent would be the total event that took over 2mins to be indexed divided by the total number of events for that hour.(for that 1 hour span)

This is the basic search I'm using to calculate the events over 2mins
index=nameoftheindex | eval time=_time | eval indextime=_indextime | eval diff=indextime-time | where diff>=120 | convert ctime(indextime) | convert ctime(time) fields sourcetype indextime time diff

Any help would be helpful. Thanks

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

You can't use a where clause that eliminates all the events under 2 minutes, and then later get a percentage of the total, because you don't have the total.

Here's one way...

earliest=-24h@h latest=@h index=nameoftheindex 
| eval GT2=if(_indextime-_time>=120,1,0)
| bin _time span=1h
| stats avg(GT2) as PctGT2 by _time

...or just ...

earliest=-24h@h latest=@h index=nameoftheindex 
| eval GT2=if(_indextime-_time>=120,1,0)
| timechart avg(GT2) as PercentGreaterThan2minutes 

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

You can't use a where clause that eliminates all the events under 2 minutes, and then later get a percentage of the total, because you don't have the total.

Here's one way...

earliest=-24h@h latest=@h index=nameoftheindex 
| eval GT2=if(_indextime-_time>=120,1,0)
| bin _time span=1h
| stats avg(GT2) as PctGT2 by _time

...or just ...

earliest=-24h@h latest=@h index=nameoftheindex 
| eval GT2=if(_indextime-_time>=120,1,0)
| timechart avg(GT2) as PercentGreaterThan2minutes 

mrtolu6
Path Finder

Thanks DalJeanis that worked. How do I add "%" at the end of PctGT2 results and also move the decimal space to places to the right?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

earliest=-24h@h latest=@h index=nameoftheindex
| eval GT2=if(_indextime-_time>=120,1,0)
| bin _time span=1h
| stats avg(GT2) as PctGT2 by _time
|eval PctGT2 = round(PctGT2*100,2)."%"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...