Splunk Search

Declare a variable for a search to find distribution of calls

skoelpin
SplunkTrust
SplunkTrust

I have 4 basic web services (I'll add more later) which are called throughout the day. My CalculateTax web service is called the most, followed by LookupTax which has the 2nd most, followed by DeliverySchedule has 3rd most, followed by ProductAvailability has the least. So I want to make a dashboard pie chart which shows the distribution of these calls.

I tried extracting the fields for these calls but unfortunately I'm only getting 80% of the calls, I need 100% of them. So is there anyway which I could define each of the 4 searches as a variable then tie all the variables together and find the percent of each web service and put it in a pie chart?

As of now I can do ... "CalculateTaxRequest" | stats count and get a count of the results for CalculateTax but when trying to add another web service call onto that search it will not count or it will combine the count totals of both web services and I cannot get a distribution of each call.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

..."CalculateTaxRequest" OR "LookupTax" OR "DeliverySchedule" OR "ProductAvailability" | eval Service=case(match(_raw,"CalculateTaxRequest),"CalculateTaxRequest",match(_raw,"LookupTax"),"LookupTax", match(_raw,"DeliverySchedule"),"DeliverySchedule",1=1,"ProductAvailability") | stats count by Service

Alternative approach

"CalculateTaxRequest"  | stats count | eval Service="CalculateTaxRequest" | append
[search "LookupTax"  | stats count | eval Service="LookupTax"] |append 
[search "DeliverySchedule"  | stats count | eval Service="DeliverySchedule" ] |append
[search "ProductAvailability"  | stats count | eval Service="ProductAvailability"] | table Service,count
0 Karma

skoelpin
SplunkTrust
SplunkTrust

Thanks for the reply. I followed your example and it output exactly what I was looking for.. CalculateTax was perfect but the other 3 web services counts were off by a lot. Any idea as to why that would happen?

DeliverySchedule = off by 231
ProductAvailability = off by 406
LookupTax = off by 296

0 Karma

somesoni2
SplunkTrust
SplunkTrust

My query assumes you have only one Web service name available in one event. So, you're getting lesser count OR more?

Also, try the alternative approach if that helps.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I tried the alternative approach and once again, calculatetax is working great but the others are showing 0. For the first query you posted, I'm getting less

0 Karma

tonykung
New Member

follow the logic shown in this query:

search 1st | stats count as count1 | join [search 2nd|stats count as count2] | fields count1 count2 | transpose

let me know if it works for you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...