Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

measuring overall success rate based off two transactions present in logs, but want to group results by a field

billycn20
Explorer
‎05-05-2021 01:11 PM

I am trying to measure our success rate on our platform. there are two individual events which we care to see in order to consider a transaction 'successful'. The two event_names we are looking for are "TRANSACTIONA" and "TRANSACTIONB" . The tricky part here is that i don't only want to know the overall success rate, but i want each individual success rate to be grouped by a field which i am creating in my query using rex. the field here is 'app_id'. 

I already have the overall success rate working in the below query, but trying to get these same 3 stats grouped for each individual app_id found is where i am having issues. Below is my current working query, looking to be extended into groups for each app_id:

index=jj3 "TRANSACTIONA" OR "TRANSACTIONB" | rex field=log "\"app_id\": \W(?<app_id>\w+)\W" | rex field=log "\"event_name\": \W(?<event_name>[a-zA-Z-|_|:]+)\W" | eval firstTransaction=if(event_name=="TRANSACTIONA", 1, 0) | eval secondTransaction=if(event_name=="TRANSACTIONB", 1, 0) | stats sum(firstTransaction) as TotalfirstTransaction sum(secondTransaction) as TotalsecondTransaction | eval successRate=round(TotalsecondTransaction/TotalfirstTransaction*100, 1)."%"

 

So essentially i want:
for each app_id found, i want to stats the following into output :

App_id, TotalfirstTransaction, TotalsecondTransaction, successRate

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sravankaripe
Communicator
‎05-05-2021 01:51 PM

 | stats sum(firstTransaction) as TotalfirstTransaction sum(secondTransaction) as TotalsecondTransaction by app_id | fields app_id TotalfirstTransaction TotalsecondTransaction | eval -----------

View solution in original post

Reply
Solved! Jump to solution
Solution

sravankaripe
Communicator
‎05-05-2021 01:51 PM

 | stats sum(firstTransaction) as TotalfirstTransaction sum(secondTransaction) as TotalsecondTransaction by app_id | fields app_id TotalfirstTransaction TotalsecondTransaction | eval -----------

Reply
Solved! Jump to solution

billycn20
Explorer
‎05-06-2021 12:26 PM

@sravankaripe wondering if you can help me refine this same query you provided me to show me the same data, but just represented in a week over week comparison. is that possible using my current query? 

something like:

App_id, TotalfirstTransaction, TotalsecondTransaction, successRate, currentWeeksuccessRate, PreviousWeek, 3Weeks ago

0 Karma
Reply
Solved! Jump to solution

billycn20
Explorer
‎05-06-2021 12:42 PM

my query as of right now is:
index=jj3 "TRANSACTIONA" OR "TRANSACTIONB" | rex field=log "\"app_id\": \W(?<app_id>\w+)\W" | rex field=log "\"event_name\": \W(?<event_name>[a-zA-Z-|_|:]+)\W" | eval firstTransaction=if(event_name=="TRANSACTIONA", 1, 0) | eval secondTransaction=if(event_name=="TRANSACTIONB", 1, 0) | stats sum(firstTransaction) as TotalfirstTransaction sum(secondTransaction) as TotalsecondTransaction by app_id | dedup app_id | eval successRate=round(TotalsecondTransaction/TotalfirstTransaction*100, 1)."%" | fillnull successRate | sort - successRate | search NOT successRate=0

0 Karma
Reply
Solved! Jump to solution

billycn20
Explorer
‎05-05-2021 02:05 PM

thank you! looks like i was very close after all. this is what i wanted. 

0 Karma
Reply
Solved! Jump to solution

sravankaripe
Communicator
‎05-05-2021 01:30 PM

Could you please some example how your events look like and what is your expected output

 

0 Karma
Reply
Solved! Jump to solution

billycn20
Explorer
‎05-05-2021 01:41 PM

because my log events contain sensitive data, i cannot share that. but i can provide you the expected output of what I'm looking to generate, extending what i have currently. Screen Shot 2021-05-05 at 4.38.48 PM.png

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...