Dashboards & Visualizations

Graph failure rate as a percentage by a grouping field

raoul
Path Finder

I have some transaction data. Transactions originate in a region and can either succeed or fail. I would like to have a graph or the failure rate (as a percentage) by region. I have not found a way to do this.

The closest I have gotten is:

... 
  | timechart span=1h count(eval(Msg="0420")) as fail_cnt, count as cnt 
  | eval pct=100*(fail_cnt/cnt) 
  | fields - *cnt

The problem I have is that when I try and do a "by region" then the timechart complains.

The eval(Msg="0420") is simply an arbitrary failure condition. In general, I would like to be able to graph arbitrary rates across regions so that I can compare if one region is out of step with the others.

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

A solution is here:

http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries

The problem is that timechart can't display more than three dimensions of data (time, series, value). The above is probably a bit more complicated than is strictly required for your graph, since you discard the additional series and just keep pct. So a simpler solution in your specific case is:

... | bucket _time span=1h 
    | stats count(eval(Msg="0420")) as fail_cnt
            count as cnt 
      by _time, region
    | eval pct=100*fail_cnt/cnt
    | timechart span=1h
        first(pct) as pct
      by region

or (possibly simpler):

... | bucket _time span=1h 
    | stats count(eval(Msg="0420")) as fail_cnt
            count as cnt 
      by _time, region
    | eval pct=100*fail_cnt/cnt
    | xyseries _time region pct

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

A solution is here:

http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries

The problem is that timechart can't display more than three dimensions of data (time, series, value). The above is probably a bit more complicated than is strictly required for your graph, since you discard the additional series and just keep pct. So a simpler solution in your specific case is:

... | bucket _time span=1h 
    | stats count(eval(Msg="0420")) as fail_cnt
            count as cnt 
      by _time, region
    | eval pct=100*fail_cnt/cnt
    | timechart span=1h
        first(pct) as pct
      by region

or (possibly simpler):

... | bucket _time span=1h 
    | stats count(eval(Msg="0420")) as fail_cnt
            count as cnt 
      by _time, region
    | eval pct=100*fail_cnt/cnt
    | xyseries _time region pct
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...