Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart with Failurepercentage and appendcols

yuvrajsharma_13
Explorer
‎08-29-2023 07:56 AM

I am using below query to get search result and calculate the failure percentage but not getting the expected result.

 

index=dl* ("Error_MongoDB") | timechart span 1d count as Failure | appendcols [search index=dl* ("inserted Record") | timechart span=1d count as Success | eval (FailurePercentage = Failure/Sucess)*100 | field _time,Failure,Sucess,FailurePercentage

 

I am getting all the values except FailurePercentage. What could be the reason ?

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-30-2023 04:04 PM

So, try the suggestion - you only need the single search as I posted earlier, but with your updated search it should be like this

index=dl* ("Error_MongoDB") OR ("Record_Inserted") 
| eval Status=if(match(_raw, "Error_MongoDB"), "Failure", "Success")
| rename msg.attribute.ticketId as ticketId
| timechart span=1d dc(ticketId) by Status 
| eval FailurePercentage = (Failure/Success)*100 
| fillnull FailurePercentage

You don't need to use all the fields/table commands - the timechart will remove all the unnecessary fields anyway

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-29-2023 04:46 PM

There are lots of errors in that query if cut/pasted to a Splunk search, but if you are not getting FailurePercentage, that's because the statement

| eval (FailurePercentage = Failure/Sucess)*100

is not a valid Splunk eval statement and Sucess is also spelt incorrectly compared to the calculation in your stats command

Note that your approach to appendcols if not a good way to approach this problem and can be done more efficiently like this

index=dl* ("Error_MongoDB") OR ("inserted Record") 
| eval Status=if(match(_raw, "Error_MongoDB"), "Failure", "Success")
| timechart span=1d count as Total by Status 
| eval FailurePercentage = (Failure/Success)*100 
| fillnull FailurePercentage

so you don't need a subsearch and can do it in one timechart and the fillnull will take care if the value of Success is 0

Note that the eval Status line may be improved if you have a field that can indicate success/failure better than by matching _raw

0 Karma
Reply
Solved! Jump to solution

yuvrajsharma_13
Explorer
‎08-30-2023 02:36 PM

Thank you @bowesmana for quick response. I am writing down the exact query here.

I have to combine both the queries to get Failure %  using timechart.

 

Query 1 ( Success ) :

index=dl* ("Record_Inserted")  | fields msg.attribute.ticketId

| rename msg.attribute.ticketId as ticketId

| table ticketId,_time

| timechart span=1d dc(ticketId)

 

Query 2 ( Failure ) :

index=dl* ("Error_MongoDB")  | fields msg.attribute.ticketId | rename msg.attribute.ticketId as ticketId

| table ticketId,_time

| timechart span=1d dc(ticketId)

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-30-2023 04:04 PM

So, try the suggestion - you only need the single search as I posted earlier, but with your updated search it should be like this

index=dl* ("Error_MongoDB") OR ("Record_Inserted") 
| eval Status=if(match(_raw, "Error_MongoDB"), "Failure", "Success")
| rename msg.attribute.ticketId as ticketId
| timechart span=1d dc(ticketId) by Status 
| eval FailurePercentage = (Failure/Success)*100 
| fillnull FailurePercentage

You don't need to use all the fields/table commands - the timechart will remove all the unnecessary fields anyway

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...