Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find the the error rate that does not have following response after a given time range?

hongbo_miao
Path Finder
‎09-18-2020 02:12 PM

I have some logs like these

 

{
logType: 'Incoming Request',
url: '/hello'
timestamp: '2020-09-18T17:53:56.516Z'
}

{
logType: 'Outgoing Response',
url: '/hello'
timestamp: '2020-09-18T17:53:57.516Z'
}

{
logType: 'Incoming Request',
url: '/bye'
timestamp: '2020-09-19T10:53:56.516Z'
}

 

I tries to get error rate that does that does not have following response after a given time range.

For example, if the given time range is 5 seconds,

for URL /hello, Incoming Request does have a Outgoing Response, so it is successful.

However, for URL /bye, it is missing Outgoing Response like this case (or does not have the following Outgoing Response in 5 seconds).

So I want list a table like

urltotalRequestserrRate
/hello10
/bye1100%

 

Any guide would be helpful! Thanks

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-18-2020 09:51 PM

Do you always get one request and one response or there could be multiple requests and multiple responses.

for example: requestA , requestB , responseA , responseB

or

requestA, responseA, requestB, responseB

trying to understand the sequence to answer your question better.

————————————
If this helps, give a like below.
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-18-2020 02:29 PM

Have you indexed these logs? Have you extracted any fields e.g. timestamp, url, log type? Total requests is then the count of Incoming Requests. Error count is then Total requests - count of outgoing response.

| stats count(incoming) as incoming, count(outgoing) as outgoing by url, _time
| eval failure=incoming-outgoing
| eval errorrate=outgoing / incoming
0 Karma
Reply

hongbo_miao
Path Finder
‎09-18-2020 02:58 PM

Thanks @ITWhisperer I do have index.

 

index="my_index"
| stats count as total, count(eval(logType="Incoming Request")) as incoming, count(eval(logType="Outgoing Response")) as outgoing by url
| eval failure = incoming - outgoing
| eval errorrate = failure / total
| table url, total, incoming, outgoing, errorrate
| sort -errorrate

 

I came up with this, however, this not consider "give time range" yet, but I got the idea.

My incoming and outgoing columns in the table are 0, will further dig in and report back.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2020 02:16 AM

With the calculation you have shown, if you have 20 incoming and 15 outgoing, your total will be 35, your failures will be 5, your error rate will be 1/7 when it should be 1/4.

That doesn't explain why you are get zero counts. Can you check that the logType is what you think it is?

0 Karma
Reply

hongbo_miao
Path Finder
‎09-24-2020 10:39 AM

Oh for the count is 0 issue, I replied at https://community.splunk.com/t5/Splunk-Search/Always-got-zero-for-count/m-p/521339#M146908

Really appreciate for the help!

I will back to this question once I have a final solution later.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...