Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

https error percentage

harpr86
Explorer
‎06-11-2024 06:07 PM

Hi,

I am trying to get the error percentage of the https response request but its not working as expected.

 

index="john-doe-index"
| stats count AS Total count(eval(statusCode="2**")) as Success
| eval Failure = Total - Success | eval Percent_Failure = round((Failure/Total)*100)."%"
| stats count by Percent_Failure

 

 

showing the following result.

harpr86_0-1718154074955.png

 

I took the above query from previous answers, not sure why its not working on my end. because the ratio of 4xx , 2xx are high and result is showing 100% and count 1 all the time.

 

Thanks!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎06-11-2024 09:21 PM

Several problems with this search.

  1. Success is 0.  You can verify this by removing everything after the first stats. (I will analyze this later.)
  2. You should not do stats by Percent_Failure because you will always get 1.

Why Success count is 0?  You need to explain what is the output in index=john-doe-index.  By explain, I mean illustrate some real events (anonymize as needed).  Short of that, you need to explain whether you have a field named statusCode AND if yes, how this code is extracted.  Second, you need to explain what "2**" signifies.  Is this a wildcard expression, or does your event record success events as literal 2**?  These details are necessary so volunteers do not have to read your mind.  Here, I will speculate that your codes are like 200, 203, and so on. (Not "2**".)

I am not sure when can count(eval(statusCode="2**")) give non-zero count but I know in most cases it will end up with zero.  If you really, really, really want to use eval, you can do something like

 

 

| stats count as Total count(eval(if(searchmatch("statusCode=2*"), "success", null()))) as Success
| eval Failure = Total - Success | eval Percent_Failure = round((Failure/Total)*100)."%"
| table Percent_Failure Total

 

 

(If you are using wildcard in search, there is no need for "2**".) This is a lot messier than simply

 

| eval success = if(searchmatch("statusCode=2*"), "success", null())
| stats count as Total count(success) as Success
| eval Failure = Total - Success | eval Percent_Failure = round((Failure/Total)*100)."%"
| table Percent_Failure Total

 

Here is a full emulation using _internal.

 

index="_internal"
| extract access-extractions
| rename status as statusCode
``` data emulation above ```

 

My result is

Percent_FailureTotal
98%257002

(Of course, in my emulation, most events do not have field status so they count as "failure" in this formula.) If you use | stats count by Percent_Failure instead of table, all you get is Total 1.

View solution in original post

Reply
Solved! Jump to solution

harpr86
Explorer
‎06-12-2024 07:50 AM

Thanks for your detailed answer. it worked. Appreciated.

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎06-11-2024 09:21 PM

Several problems with this search.

  1. Success is 0.  You can verify this by removing everything after the first stats. (I will analyze this later.)
  2. You should not do stats by Percent_Failure because you will always get 1.

Why Success count is 0?  You need to explain what is the output in index=john-doe-index.  By explain, I mean illustrate some real events (anonymize as needed).  Short of that, you need to explain whether you have a field named statusCode AND if yes, how this code is extracted.  Second, you need to explain what "2**" signifies.  Is this a wildcard expression, or does your event record success events as literal 2**?  These details are necessary so volunteers do not have to read your mind.  Here, I will speculate that your codes are like 200, 203, and so on. (Not "2**".)

I am not sure when can count(eval(statusCode="2**")) give non-zero count but I know in most cases it will end up with zero.  If you really, really, really want to use eval, you can do something like

 

 

| stats count as Total count(eval(if(searchmatch("statusCode=2*"), "success", null()))) as Success
| eval Failure = Total - Success | eval Percent_Failure = round((Failure/Total)*100)."%"
| table Percent_Failure Total

 

 

(If you are using wildcard in search, there is no need for "2**".) This is a lot messier than simply

 

| eval success = if(searchmatch("statusCode=2*"), "success", null())
| stats count as Total count(success) as Success
| eval Failure = Total - Success | eval Percent_Failure = round((Failure/Total)*100)."%"
| table Percent_Failure Total

 

Here is a full emulation using _internal.

 

index="_internal"
| extract access-extractions
| rename status as statusCode
``` data emulation above ```

 

My result is

Percent_FailureTotal
98%257002

(Of course, in my emulation, most events do not have field status so they count as "failure" in this formula.) If you use | stats count by Percent_Failure instead of table, all you get is Total 1.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...