Hi,
I am trying to plot the percentage data over a period of span 1h.
host="abc" sourcetype="xyz" ("Eurl" ) | eval series1 = "Request" | append [search host="abc" sourcetype="xyz" ("Esuccess") | eval series2 = "Success"] | stats count(series1) as s1, count(series2) as s2 | eval pct=(s2*100/s1) | timechart span=1h avg(pct)
I am able to see the PCT value in one row, which is not helping the cause. I am looking for PCT data for every 1 hour.
This query does not return result if I add timechart. Not sure about the reason.
Please help.
It's quite common to do complex things like this with join
and append
. In the end it's easier to do with a disjunction (OR) and a little bit of eval magic. Also by eliminating the subsearch you'll speed things up quite a bit.
host="abc" sourcetype="xyz" (Eurl OR Esuccess) | eval series = if(searchmatch("eurl","Request",series)) | eval series = if(searchmatch("Esuccess","Success",series)) | timechart count by series | eval pct=Success*100/Request | fields - Success request
Here we just take all the events glommed together from both "Eurl" and "Esuccess", and we use eval to paint a field called 'series' onto the events, which will have values "Request" and "Success". Specifically the if
function in eval will evaluate the first argument, which is a searchmatch
function. If the searchmatch
matches, if
will return the second argument. Otherwise if
returns the third argument.
Then we let plain old timechart split this up by the two values. And then a little eval on the end I think should give you the percent you want.
minor notes: your stats count
was essentially throwing away all your time information. Delete the timechart clause in your original searhc and run it again, then picture giving those output rows to timechart, as though those two rows were the only events. You'll then understand why timechart was doing what it was doing.
It's quite common to do complex things like this with join
and append
. In the end it's easier to do with a disjunction (OR) and a little bit of eval magic. Also by eliminating the subsearch you'll speed things up quite a bit.
host="abc" sourcetype="xyz" (Eurl OR Esuccess) | eval series = if(searchmatch("eurl","Request",series)) | eval series = if(searchmatch("Esuccess","Success",series)) | timechart count by series | eval pct=Success*100/Request | fields - Success request
Here we just take all the events glommed together from both "Eurl" and "Esuccess", and we use eval to paint a field called 'series' onto the events, which will have values "Request" and "Success". Specifically the if
function in eval will evaluate the first argument, which is a searchmatch
function. If the searchmatch
matches, if
will return the second argument. Otherwise if
returns the third argument.
Then we let plain old timechart split this up by the two values. And then a little eval on the end I think should give you the percent you want.
minor notes: your stats count
was essentially throwing away all your time information. Delete the timechart clause in your original searhc and run it again, then picture giving those output rows to timechart, as though those two rows were the only events. You'll then understand why timechart was doing what it was doing.
Thanks Gerald. my bad for flying blind.
Yes, nick had a typo with a mismatched parenthesis, but all you need to do to fix it is to match them up correctly.
Getting this error - "Error in 'eval' command: The expression is malformed. Expected )".
Please help
Try it like this:
host="abc" sourcetype="xyz" ("Eurl" ) | eval series1 = "Request" | append [search host="abc" sourcetype="xyz" ("Esuccess") | eval series2 = "Success"] | timechart span=1h count(series2)*100/count(series1)
Your stats output doesn't contain the temporal values you need for the timechart. Easier than doing a "by _time" in your stats, you can just perform the math with timechart -- it supports the same functions as stats.
The timechart can't perform the eval math, my mistake. As a quick fix to get you going, do the search as you originally had it, but add "by _time" to the end of your stats command. That will produce the time values you need for the timechart.
The expression - count(series2)*100/count(series1) is not returning any result in the splunk. Do you know what could be the reason?