I have some transaction data. Transactions originate in a region and can either succeed or fail. I would like to have a graph or the failure rate (as a percentage) by region. I have not found a way to do this.
The closest I have gotten is:
...
| timechart span=1h count(eval(Msg="0420")) as fail_cnt, count as cnt
| eval pct=100*(fail_cnt/cnt)
| fields - *cnt
The problem I have is that when I try and do a "by region
" then the timechart complains.
The eval(Msg="0420")
is simply an arbitrary failure condition. In general, I would like to be able to graph arbitrary rates across regions so that I can compare if one region is out of step with the others.
A solution is here:
http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries
The problem is that timechart
can't display more than three dimensions of data (time, series, value). The above is probably a bit more complicated than is strictly required for your graph, since you discard the additional series and just keep pct
. So a simpler solution in your specific case is:
... | bucket _time span=1h
| stats count(eval(Msg="0420")) as fail_cnt
count as cnt
by _time, region
| eval pct=100*fail_cnt/cnt
| timechart span=1h
first(pct) as pct
by region
or (possibly simpler):
... | bucket _time span=1h
| stats count(eval(Msg="0420")) as fail_cnt
count as cnt
by _time, region
| eval pct=100*fail_cnt/cnt
| xyseries _time region pct
A solution is here:
http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries
The problem is that timechart
can't display more than three dimensions of data (time, series, value). The above is probably a bit more complicated than is strictly required for your graph, since you discard the additional series and just keep pct
. So a simpler solution in your specific case is:
... | bucket _time span=1h
| stats count(eval(Msg="0420")) as fail_cnt
count as cnt
by _time, region
| eval pct=100*fail_cnt/cnt
| timechart span=1h
first(pct) as pct
by region
or (possibly simpler):
... | bucket _time span=1h
| stats count(eval(Msg="0420")) as fail_cnt
count as cnt
by _time, region
| eval pct=100*fail_cnt/cnt
| xyseries _time region pct