Hey Splunkers,
I'm in a bit of a tricky situation. I have to calculate the error rate using 2 fields. The numerator has every receiver that has an error and the denominator is the total number of receivers.
So, I want to filter the numerators with the error code and eventually find out the error rate by error code. And do that in a way where total receivers for that day remain constant.
Here is what I tried:
index = abc (sourcetype=123 OR sourcetype=456)
| fields receiverId.string receiverId errorCode.string
| rename receiverId.string AS Receiver
| rename errorCode.string AS errorCode
| eventstats dc(Receiver) AS Receivers_with_errors BY errorCode
| eventstats dc(receiverId) AS Total_Receivers
| fields Receivers_with_errors errorCode Total_Receivers
| eval ErrorRate= round(((Receivers_with_errors/Total_Receivers)*100),2)
| timechart avg(ErrorRate) by errorCode limit=15 span=1d
I thought the timechart command would help me divide the Total receivers while the Receivers_with_errors would be first sorted by error codes and then, because of the timechart, through time.
But, is there a better way to this?
Also, I am getting results in verbose mode, but not in fast mode. Why could that be? The data set is huge so I can't use verbose.
... View more