Splunk Search

How to create a time chart showing percentage of transactions that exceeded a threshold time per hour?

Techie_Java
New Member

I have a search to calculate % of transactions that exceeded the threshold time.

index=my_index sourcetype = web "Time taken for service " | rex "call: (?<duration>[0-9]+)ms" | eval   sla_level=if(duration>5000,"SLA_BREACH","OK") | top sla_level | where sla_level="SLA_BREACH" | fields + percent

This search calculates and displays percentage in the selected time range. However, I am trying to get hourly SLA Breach report. I tried using timechart, but getting errors. How do I get hourly chart?

Example,
9 AM to 10 AM - if total transactions are 100 and 8 transactions took more than 5 secs.
10 AM to 11 AM - if total transactions are 200 and 10 transactions took more than 5 secs.
11 AM to 12 AM - if total transactions are 100 and 10 transactions took more than 5 secs.
12 AM to 1 PM - if total transactions are 100 and 5 transactions took more than 5 secs.

I want to see

_time                        percent

2015-10-13 09:00              8
2015-10-13 10:00               5
2015-10-13 11:00              10
2015-10-13 12:00               5
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=afm sourcetype = web "Time taken for service " | rex "call: (?<duration>[0-9]+)ms" | eval sla_level=if(duration>5000,"SLA_BREACH","OK") | timechart span=1h count AS Total count(eval(sla_level="SLA_BREACH")) AS Breaches | eval percent = 100*Breaches/Total

View solution in original post

woodcock
Esteemed Legend

Like this:

index=afm sourcetype = web "Time taken for service " | rex "call: (?<duration>[0-9]+)ms" | eval sla_level=if(duration>5000,"SLA_BREACH","OK") | timechart span=1h count AS Total count(eval(sla_level="SLA_BREACH")) AS Breaches | eval percent = 100*Breaches/Total
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...