Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

eval percentage issue

kelambert
Explorer
‎01-03-2014 10:54 AM

I am trying to create an error percent tracker, but I cant get the eval command to generate a number. I have tried several search strings, these two seem to be the closest to success.

index="java" host="*tkn*" proxy\/listing | stats count as total | append [search index="java" host="*tkn*" proxy\/listing eventtype="java_exception*" OR eventtype="nix_errors" | stats count as error] | eval error_percentage=100*round(error/success,4) | fields error_percentage,error,total | rangemap field=error_percentage low=0-5 elevated=5-10 severe=10-100 default=0

index="java" host="*tkn*" proxy\/listing | stats count as total | search eventtype="java_exception*" OR eventtype="nix_errors" | stats count as error | eval error_percentage=100*round(error/success,4) | fields error_percentage | rangemap field=error_percentage low=0-5 elevated=5-10 severe=10-100 default=0
Tags (1)
0 Karma
Reply

kelambert
Explorer
‎01-03-2014 12:46 PM

Success was a typo from the opposite query, was suppose to be total. The below answers all worked perfectly, thank you for the help

0 Karma
Reply

linu1988
Champion
‎01-03-2014 12:32 PM

How do you get the value of success? With a append statement u wont be able to combine it to single event right?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-03-2014 12:30 PM

I'm guessing you want to know what percentage of events from your base search have one of those two eventtypes?

Try something like this:

base search | stats count as total count(eval(match(eventtype, "^java_exception") OR eventtype="nix_errors")) as errors | eval error_percentage=100*round(errors/total,4)

If you like, you can pull the definition of what constitutes an error out of the stats, to get something like this:

base search | eval error=if(match(eventtype, "^java_exception") OR eventtype="nix_errors",1,0) | stats count as total sum(error) as errors | eval error_percentage=100*round(errors/total,4)
Reply

somesoni2
Revered Legend
‎01-03-2014 12:23 PM

Try following

index="java" host="tkn" proxy/listing | eval hasError=if(eventtype="java_exception" OR eventtype="nix_errors","yes","no") | stats count(eval(hasError="yes")) as error, count as total | eval error_percentage=round(error*100/total,4) | rangemap field=error_percentage low=0-5 elevated=5-10 severe=10-100 default=0
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...