How to create a timeseries that is derived by divi...

Splunkster45 · ‎03-12-2015

Once search query allows me to get the total percentage of failed calls in a 24 hour window

index= ...  | stats count(client_ip) as Calls | appendcols [ search index=...  | stats count(IPAddress) AS Fails] |  eval "Percent Fails"=Fails/Calls*100

If I put the base searches of each the above two searches into the variables A and B, I get

    A  | stats count(client_ip) as Calls | appendcols [ B | stats count(IPAddress) AS Fails] |  eval "Percent Fails"=Fails/Calls*100

I can also create a timeseries for the number of calls and the number of fails by the following

A | timechart count span=1h
B | timechart count span=1h

Is there a way that I can combine the two? I want to be able to get a timeseries of the percentage of failed calls per hour over the last 24 hours.

Essentially, this would equate to taking each hour in B and dividing it by the same hour in A. Does anyone have any idea of how to do this?

Thanks!

btt · ‎03-18-2015

Hi,

index= .... | bucket span=1h _time 
| stats count(client_ip) as Calls  count(IPAddress) AS Fails
|timechart per_hour(eval(Fails/Calls*100)) as  Percent_Fails

How to create a timeseries that is derived by dividing similar columns from two other timeseries

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!