Need help with a Splunk query to display % failures for each day during the time range selected
% failures = A1/A2 *100
A1= Total number of events returned by the below query:
index="abc" "searchTermForA1"
A2= Total number of events returned by the below query:
index="xyz" "searchTermForA2"
Expected Output:
-------Date-------|--------A1-------------|------A2----------|-----% failures-------
Separate rows in the result set for date 1-Jul, 2-Jul, 3-Jul, 4-Jul, 5-Jul, 6-Jul and 7-Jul, for time range selected as 1Jul to 7-Jul.
Please help with the query.
Thanks!
@ITWhisperer Thanks for the reply!
I also have a scenario where I need to find % failure for each day during the time range selected, for same index but different search term
% failures = A1/A2 *100
A1= Total number of events returned by the below query:
index="abc" "searchTermForA1"
A2= Total number of events returned by the below query:
index="abc" "searchTermForA2"
Please help.
It will depend on what "searchTermForA1" and "searchTermForA2" actually are and possibly what your events actually look like
index="abc" "searchTermForA1"
| bin _time span=1d
| stats count as A1 by _time
| append [| search index="abc" "searchTermForA2"
| bin _time span=1d
| stats count as A2 by _time
]
| stats values(*) as * by _time
| eval failures=100*A1/A2
(index="abc" "searchTermForA1") OR (index="xyz" "searchTermForA2")
| bin _time span=1d
| stats count(eval(index="abc")) as A1 count(eval(index="xyz")) as A2 by _time
| eval failures=100*A1/A2