I ran a search to get total request count, success count, and error count by Application ID, and then calculated success percentage as well and get the application ID, request count, success count, error count, and success percentages in table format in a dashboard. I want to get the Success percentage for consecutive time intervals as mentioned below :
1st success percent column should have -10m@m
data
2nd success percent column should have -20m@m
to -10m@m
data
3rd success percent column should have -30m@m
to -20m@m
data
and want to show in dashboard like below:
Application ID RequestCount SuccessCount ErrorCount -10mSuccessPercent -20m to-10m SuccessPercent -30m to -20m SuccessPercent
How to get this consecutive success count, please help asap.
Hi ankycampy,
you can run a search over the last 30 minutes and do stats
over each 10 minutes steps like this:
index=_internal earliest=-30min@min sourcetype=splunkd
| bucket _time span=1min
| stats last(_time) AS last_time count AS per_min_count by _time, host, sourcetype
| eval 30min_ago = if(last_time > exact(relative_time(now(),"-30min@min")) AND last_time <= exact(relative_time(now(),"-20min@min")) , per_min_count ,"0")
| eval 20min_ago = if(last_time > exact(relative_time(now(),"-20min@min")) AND last_time <= exact(relative_time(now(),"-10min@min")) , per_min_count ,"0")
| eval 10min_ago = if(last_time > exact(relative_time(now(),"-10min@min")) AND last_time <= exact(relative_time(now(),"-1min@min")) , per_min_count ,"0")
| stats max(last_time) AS _time, values(host) AS host, values(sourcetype) AS sourcetype, max(10min_ago) AS 10min_ago, max(20min_ago) AS 20min_ago, max(30min_ago) AS 30min_ago
Hope this helps to get you started ...
cheers, MuS
Perhaps asking if the author(s) of timewrap can add a "minute" parameter instead of just hour, day, week, month, quarter and year. Then you could do
... mysearch earliest=-30m | stats [make all the calculations] | timewrap 10min
I don't recall how the app is packaged, if it's python or something you may even be able to hack it to make it do this.
Hi All/Rich,
Tried timewrap, but not getting required result. Please find the complete search I am using below for getting consecutive time Success Percentage.
index=xxx sourcetype=abcd earliest=-20m latest=now | stats count(eval(STATUSCODE="ERROR" OR STATUSCODE="COMPLETE" OR STATUSCODE="COMPLETED")) as "RequestCount", count(eval(STATUSCODE="COMPLETE" or STATUSCODE ="COMPLETED")) as "SuccessCount", count(eval(STATUSCODE="ERROR")) as "ErrorCount" by ID COMPONENT | eval Result=round(((SuccessCount)/RequestCount)*100,2)." %" | appendcols [ search index=xxx sourcetype=abcd earliest=-10m latest=now | stats count(eval(STATUSCODE="ERROR" OR STATUSCODE="COMPLETE" OR STATUSCODE="COMPLETED")) as "RequestCountlatest", count(eval(STATUSCODE="COMPLETE" or STATUSCODE="COMPLETED")) as "SuccessCountlatest", count(eval(STATUSCODE="ERROR")) as "ErrorCountlatest" by ID COMPONENT ] | eval LatestResult=round(((SuccessCountlatest)/RequestCountlatest)*100,2)." %" | table ID COMPONENT SuccessCount ErrorCount RequestCount SuccessCountlatest ErrorCountlatest RequestCountlatest Result LatestResult | fillnull value=0
As you see, the main search runs between -20 to now time duration and subsearch runs between -10 to now time duration.
Surprisingly, I am getting some data in subsearch columns which I am not getting in main search columns.
I want Result and latestResult column data in respect to ID and COMPONENT for the respective duration.
For example:
If ID has A value and COMPONENT has B value in subsearch timeframe and showing percentage result in LatestResult column, then I should get the same or more value in main search timeframe as subsearch time frame falls under main search timeframe.
Basically, I need consecutive 10min time SuccessPercentage with respect to ID and Component. Please help to get the required result.
Thanks!!!!