How to search the percentage of times an event hap...

mzhall · ‎07-23-2015

I am trying to construct a search that will display the percentage of times an event happened before 8 am and percentage of times the event happened after 8 am over the last month or even the last year.

I have not found much in the way of getting started... I think it might have something to do with buckets and possibly a timechart but I am really not sure.

somesoni2 · ‎07-23-2015

Try something like this (example query with _internal data)

index=_internal sourcetype=splunkd log_level=ERROR component=TcpOutputFd | table _time | eval Hour=strftime(_time,"%H") | eval Before8AM=if(Hour<8,1,0) | eval After8PM=if(Hour>20,1,0) | stats count as Total sum(Before8AM) as Before8AM sum(After8PM) as After8PM | eval Before8AM=round(Before8AM*100/Total,2) | eval After8PM=round(After8PM*100/Total,2) | table Before8AM After8PM

alacercogitatus · ‎07-23-2015

You could try something like this:

<your_search_for_Event> | eval timeBucket = if(tonumber(strftime(_time,"%H"))<8,"Before","After")| stats sum(eval(if(timeBucket=="After",1,0))) as After sum(eval(if(timeBucket=="Before",1,0))) as Before | eval total = After + Before | eval After_Percent = After / total * 100 | eval Before_Percent = Before /total * 100

If you have a key in the event, you can use the normal by clause to split it out, and nothing else will need to change!

How to search the percentage of times an event happened within a certain time period each day over a specified time range?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes