Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

format my successRate query into a week over week comparison

billycn20
Explorer
‎05-06-2021 12:45 PM

i have a working query which is monitoring the success rate based off a value called app_id. i want to extend the current query i have and also show the success rate for each app_id but broken down by currentWeek, lastWeek, 2weeksago success rate percentage.

 

My current query is:
index=jj3 "TRANSACTIONA" OR "TRANSACTIONB" | rex field=log "\"app_id\": \W(?<app_id>\w+)\W" | rex field=log "\"event_name\": \W(?<event_name>[a-zA-Z-|_|:]+)\W" | eval firstTransaction=if(event_name=="TRANSACTIONA", 1, 0) | eval secondTransaction=if(event_name=="TRANSACTIONB", 1, 0) | stats sum(firstTransaction) as TotalfirstTransaction sum(secondTransaction) as TotalsecondTransaction by app_id | dedup app_id | eval successRate=round(TotalsecondTransaction/TotalfirstTransaction*100, 1)."%" | fillnull successRate | sort - successRate | search NOT successRate=0

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sravankaripe
Communicator
‎05-06-2021 12:52 PM

try with this at the end  
select timerange last 30 days like that 

---  ----  ---- | bin _time span=1w | stats count


View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sravankaripe
Communicator
‎05-06-2021 12:52 PM

try with this at the end  
select timerange last 30 days like that 

---  ----  ---- | bin _time span=1w | stats count


0 Karma
Reply
Solved! Jump to solution

billycn20
Explorer
‎05-06-2021 12:59 PM

no, that doesn't seem to provide any desirable results.

0 Karma
Reply
Solved! Jump to solution

sravankaripe
Communicator
‎05-06-2021 01:01 PM

remove dedup after stats you may get some results

 

0 Karma
Reply
Solved! Jump to solution

billycn20
Explorer
‎05-06-2021 01:11 PM

using that suggestion as well, doesn't provide any change in results. my stats actually still looks identical to my original query:

here is the updated query as per your suggestions:

index=jj3 "TRANSACTIONA" OR "TRANSACTIONB" | rex field=log "\"app_id\": \W(?<app_id>\w+)\W" | rex field=log "\"event_name\": \W(?<event_name>[a-zA-Z-|_|:]+)\W" | eval firstTransaction=if(event_name=="TRANSACTIONA", 1, 0) | eval secondTransaction=if(event_name=="TRANSACTIONB", 1, 0) | bin _time span=2w | stats sum(firstTransaction) as TotalfirstTransaction sum(secondTransaction) as TotalsecondTransaction by app_id | eval successRate=round(TotalsecondTransaction/TotalfirstTransaction*100, 1)."%" | fillnull successRate | sort - successRate | search NOT successRate=0

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...