Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to calculate the Success events percentage based on the time intervals.

mvaradarajam
Path Finder
‎11-27-2013 09:16 PM

Hi All,

how to calculate percentage value based on time intervals.here i am writting a query

index=operartions sourcetype="SView" OR sourcetype="YView" DashboardStatus="Success"
| timechart span=1d count(DashboardStatus) as Success by sourcetype
| appendcols
[ search index=operartions sourcetype="SView" OR sourcetype="YView" DashboardStatus="*"
| bucket _time span=1d
|stats count(eval(eventtype="YViewStatus" OR eventtype="SViewStatus")) as ClientSuccess count(DashboardStatus) as complete by _time
| eval percent=(ClientSuccess*100/complete)
|table percent
]

Here "YViewStatus" is the event type,it display the success records.
"DashboardStatus" is the field type (Success/Failed).we are calculating the percentage based on the Success/Total events.
using the above query there is a mismatch b/w time intervals,can u plz suggest the right query.
thanks for advance.

Tags (2)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-28-2013 04:34 PM

The appendcols do not insure that the exact same time range from the 2 searches will match.
you should use a bucket _time span and join them on the field _time.

Instead of |appendcols [, use | join _time [

Also you are using 2 searches (one for success, one for all dashboard and stats), you could try to use only one
please try with something like :

index=operartions sourcetype="SView" OR sourcetype="YView" DashboardStatus="*"
| bucket _time span=1d |
| stats count(eval(DashboardStatus="Success")) AS Success count(eval(eventtype="YViewStatus" OR eventtype="SViewStatus")) AS ClientSuccess count(DashboardStatus) AS complete by _time sourcetype
| eval percent=(ClientSuccess*100/complete)

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Seamless IT/OT Security: A Hands-On Look at the Cisco Cyber Vision Splunk Add-on

With just a few clicks, you can ingest critical OT asset details, vulnerabilities, baseline deviations, ...