- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- SLA monitoring: percentage of slow transactions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have selected and filtered a bunch of transactions that are part of KPI in our SLA.
We define "slow" transactions as transactions with a duration over 3 seconds.
Now that i have all transactions (and thus their durations) that have to be taken into account, how can i calculate how many % of those is considered "slow" ?
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use eval and if to divide the durations into "OK" and "Not OK" levels, for instance. Let's call the duration field duration and that it holds the values in whole seconds.
<yourbasesearch> | eval sla_level=if(duration>3,"Not OK","OK") | top sla_level
This will give you a table with absolute count and percentage of each "Not OK" and "OK" durations. If you want to divide into more intervals, you could use case instead of if and define more levels.
EDIT: So in response to your comment regarding getting these stats per hour, here's how to do it:
<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level
Filtering out all hours with less than 10 events requires some tricks but can be done like this:
<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level | untable _time sla_level count | where count>=10 | xyseries _time sla_level count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use eval and if to divide the durations into "OK" and "Not OK" levels, for instance. Let's call the duration field duration and that it holds the values in whole seconds.
<yourbasesearch> | eval sla_level=if(duration>3,"Not OK","OK") | top sla_level
This will give you a table with absolute count and percentage of each "Not OK" and "OK" durations. If you want to divide into more intervals, you could use case instead of if and define more levels.
EDIT: So in response to your comment regarding getting these stats per hour, here's how to do it:
<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level
Filtering out all hours with less than 10 events requires some tricks but can be done like this:
<yourbasesearch> | eval sla_level=if(duration>30,"Slow","OK") | timechart span=1h count by sla_level | untable _time sla_level count | where count>=10 | xyseries _time sla_level count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You rock Ayn 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That can certainly be done! Have a look at the response, I edited it to include searches that do what you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wow 🙂 what a quick reply.
that indeed is going in the right direction. I would need two things to add to it:
* I would like to see those percentages on a per hour basis (span=1h)
(and if possible ...)
* I am not interested in hours where there are less than 10 transactions.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
