Calculate percentage of counts over events

huaraz · ‎04-03-2015

Hi

I would like to get alerted about the percentage of extraction errors ( since there is no built-in function for this 😞 )

I was looking at this option ( field1 is the first field in my EXTRACT regex in transforms.conf )

index=logs | eval isn=if(isnull(field1),1,0) | chart sum(isn) count(isn) perc100(sum(isn)/count(isn))

but that does not work.

Thank you
Markus

chimell · ‎04-04-2015

Hi huaraz
To show the value perc100 in a table do this

     index=logs | eval isn=if(isnull(field1),1,0) | chart sum(isn) count(isn) | eval perc100='sum(isn)'/'count(isn)' |table perc100

stephane_cyrill · ‎04-04-2015

Hi Markus,
To show the value of perc100 in a table, just pipe what somesoni2 did like this:
.......l table perc100

you can add more the one fields using table commande.

...l perc100 sum(isn) count(isn) host

huaraz · ‎04-04-2015

That does not seem to work perc100 is just empty. But I think I found another way

index=logs | eval isn=if(isnull(field1),1,0) | chart sum(isn) as Failures count(isn) as "Total events" avg(eval(isn*100)) as Percentage

In this case average is also percentage,isn't it ?

Markus

somesoni2 · ‎04-03-2015

Chart/stats can't do operations on the fields which are not defined yet (sum(isn) and count(isn) will be available after chart command only). So try this

index=logs | eval isn=if(isnull(field1),1,0) | chart sum(isn) count(isn) | eval perc100='sum(isn)'/'count(isn)'

huaraz · ‎04-03-2015

How do I then show the value perc100 in a table or chart ?

Markus

Calculate percentage of counts over events

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability