Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

format my successRate query into a week over week comparison

billycn20
Explorer
‎05-06-2021 12:45 PM

i have a working query which is monitoring the success rate based off a value called app_id. i want to extend the current query i have and also show the success rate for each app_id but broken down by currentWeek, lastWeek, 2weeksago success rate percentage.

 

My current query is:
index=jj3 "TRANSACTIONA" OR "TRANSACTIONB" | rex field=log "\"app_id\": \W(?<app_id>\w+)\W" | rex field=log "\"event_name\": \W(?<event_name>[a-zA-Z-|_|:]+)\W" | eval firstTransaction=if(event_name=="TRANSACTIONA", 1, 0) | eval secondTransaction=if(event_name=="TRANSACTIONB", 1, 0) | stats sum(firstTransaction) as TotalfirstTransaction sum(secondTransaction) as TotalsecondTransaction by app_id | dedup app_id | eval successRate=round(TotalsecondTransaction/TotalfirstTransaction*100, 1)."%" | fillnull successRate | sort - successRate | search NOT successRate=0

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sravankaripe
Communicator
‎05-06-2021 12:52 PM

try with this at the end  
select timerange last 30 days like that 

---  ----  ---- | bin _time span=1w | stats count


View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sravankaripe
Communicator
‎05-06-2021 12:52 PM

try with this at the end  
select timerange last 30 days like that 

---  ----  ---- | bin _time span=1w | stats count


0 Karma
Reply
Solved! Jump to solution

billycn20
Explorer
‎05-06-2021 12:59 PM

no, that doesn't seem to provide any desirable results.

0 Karma
Reply
Solved! Jump to solution

sravankaripe
Communicator
‎05-06-2021 01:01 PM

remove dedup after stats you may get some results

 

0 Karma
Reply
Solved! Jump to solution

billycn20
Explorer
‎05-06-2021 01:11 PM

using that suggestion as well, doesn't provide any change in results. my stats actually still looks identical to my original query:

here is the updated query as per your suggestions:

index=jj3 "TRANSACTIONA" OR "TRANSACTIONB" | rex field=log "\"app_id\": \W(?<app_id>\w+)\W" | rex field=log "\"event_name\": \W(?<event_name>[a-zA-Z-|_|:]+)\W" | eval firstTransaction=if(event_name=="TRANSACTIONA", 1, 0) | eval secondTransaction=if(event_name=="TRANSACTIONB", 1, 0) | bin _time span=2w | stats sum(firstTransaction) as TotalfirstTransaction sum(secondTransaction) as TotalsecondTransaction by app_id | eval successRate=round(TotalsecondTransaction/TotalfirstTransaction*100, 1)."%" | fillnull successRate | sort - successRate | search NOT successRate=0

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...