Calculate Percentage of status code for 200 by _ti...

Chirag812 · ‎01-11-2024

I want to calculate the Percentage of status code for 200 out of Total counts of Status code by time. I have written query as per below by using append cols. Below query is working but it is not giving percentage every minute or by _time wise. I want this Percentage of status code for 200 by _time also. So can anybody help me out on this how to write this query.

index=* sourcetype=* host=*
| stats count(sc_status) as Totalcount
| appendcols
[ search index=* sourcetype=* host=* sc_status=200
| stats count(sc_status) as Count200 ]
| eval Percent200=Round((Count200/Totalcount)*100,2)
| fields _time Count200 Totalcount Percent200

Chirag812 · ‎01-11-2024

Thanks a lot. This worked perfectly.

dtburrows3 · ‎01-11-2024

Since you are just wanting to display percentage of 200 and total count of all StatusCode in each minute.
I think a search like this should work.

index=<index> sourcetype=<sourcetype> sc_status=*
    | bucket span=1m _time
    | stats
        count as Totalcount,
        count(eval('sc_status'==200)) as Count200
            by _time
    | eval
        Percent200=round(('Count200'/'Totalcount')*100, 2)
    | fields + _time, Percent200, Totalcount

Example Output:

Calculate Percentage of status code for 200 by _time

stats

table

timechart

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk