Splunk Search

timechart percentage data - not working

Explorer

Hi,

I am trying to plot the percentage data over a period of span 1h.

host="abc" sourcetype="xyz" ("Eurl" ) | eval series1 = "Request" | append [search host="abc" sourcetype="xyz" ("Esuccess") | eval series2 = "Success"] | stats count(series1) as s1, count(series2) as s2 | eval pct=(s2*100/s1) | timechart span=1h avg(pct)

I am able to see the PCT value in one row, which is not helping the cause. I am looking for PCT data for every 1 hour.

This query does not return result if I add timechart. Not sure about the reason.

Please help.

Tags (1)
1 Solution

SplunkTrust
SplunkTrust

It's quite common to do complex things like this with join and append. In the end it's easier to do with a disjunction (OR) and a little bit of eval magic. Also by eliminating the subsearch you'll speed things up quite a bit.

host="abc" sourcetype="xyz" (Eurl OR Esuccess) | eval series = if(searchmatch("eurl","Request",series)) | eval series = if(searchmatch("Esuccess","Success",series)) | timechart count by series | eval pct=Success*100/Request | fields - Success request

Here we just take all the events glommed together from both "Eurl" and "Esuccess", and we use eval to paint a field called 'series' onto the events, which will have values "Request" and "Success". Specifically the if function in eval will evaluate the first argument, which is a searchmatch function. If the searchmatch matches, if will return the second argument. Otherwise if returns the third argument. Then we let plain old timechart split this up by the two values. And then a little eval on the end I think should give you the percent you want.

minor notes: your stats count was essentially throwing away all your time information. Delete the timechart clause in your original searhc and run it again, then picture giving those output rows to timechart, as though those two rows were the only events. You'll then understand why timechart was doing what it was doing.

View solution in original post

SplunkTrust
SplunkTrust

It's quite common to do complex things like this with join and append. In the end it's easier to do with a disjunction (OR) and a little bit of eval magic. Also by eliminating the subsearch you'll speed things up quite a bit.

host="abc" sourcetype="xyz" (Eurl OR Esuccess) | eval series = if(searchmatch("eurl","Request",series)) | eval series = if(searchmatch("Esuccess","Success",series)) | timechart count by series | eval pct=Success*100/Request | fields - Success request

Here we just take all the events glommed together from both "Eurl" and "Esuccess", and we use eval to paint a field called 'series' onto the events, which will have values "Request" and "Success". Specifically the if function in eval will evaluate the first argument, which is a searchmatch function. If the searchmatch matches, if will return the second argument. Otherwise if returns the third argument. Then we let plain old timechart split this up by the two values. And then a little eval on the end I think should give you the percent you want.

minor notes: your stats count was essentially throwing away all your time information. Delete the timechart clause in your original searhc and run it again, then picture giving those output rows to timechart, as though those two rows were the only events. You'll then understand why timechart was doing what it was doing.

View solution in original post

SplunkTrust
SplunkTrust

Thanks Gerald. my bad for flying blind.

0 Karma

Splunk Employee
Splunk Employee

Yes, nick had a typo with a mismatched parenthesis, but all you need to do to fix it is to match them up correctly.

0 Karma

Explorer

Getting this error - "Error in 'eval' command: The expression is malformed. Expected )".

Please help

0 Karma

Splunk Employee
Splunk Employee

Try it like this:

host="abc" sourcetype="xyz" ("Eurl" ) | eval series1 = "Request" | append [search host="abc" sourcetype="xyz" ("Esuccess") | eval series2 = "Success"] | timechart span=1h count(series2)*100/count(series1)

Your stats output doesn't contain the temporal values you need for the timechart. Easier than doing a "by _time" in your stats, you can just perform the math with timechart -- it supports the same functions as stats.

0 Karma

Splunk Employee
Splunk Employee

The timechart can't perform the eval math, my mistake. As a quick fix to get you going, do the search as you originally had it, but add "by _time" to the end of your stats command. That will produce the time values you need for the timechart.

0 Karma

Explorer

The expression - count(series2)*100/count(series1) is not returning any result in the splunk. Do you know what could be the reason?

0 Karma