Dashboards & Visualizations

How to get consecutive Success Percentage columns for 3 back-to-back 10 minute periods in a Splunk Dashboard?

ankycampy
Explorer

I ran a search to get total request count, success count, and error count by Application ID, and then calculated success percentage as well and get the application ID, request count, success count, error count, and success percentages in table format in a dashboard. I want to get the Success percentage for consecutive time intervals as mentioned below :
1st success percent column should have -10m@m data
2nd success percent column should have -20m@m to -10m@m data
3rd success percent column should have -30m@m to -20m@m data

and want to show in dashboard like below:

Application ID RequestCount SuccessCount ErrorCount -10mSuccessPercent -20m to-10m SuccessPercent -30m to -20m SuccessPercent

How to get this consecutive success count, please help asap.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi ankycampy,

you can run a search over the last 30 minutes and do stats over each 10 minutes steps like this:

index=_internal earliest=-30min@min sourcetype=splunkd 
| bucket _time span=1min 
| stats last(_time) AS last_time count AS per_min_count by _time, host, sourcetype 
| eval 30min_ago = if(last_time > exact(relative_time(now(),"-30min@min")) AND last_time <= exact(relative_time(now(),"-20min@min")) , per_min_count ,"0")
| eval 20min_ago = if(last_time > exact(relative_time(now(),"-20min@min")) AND last_time <= exact(relative_time(now(),"-10min@min")) , per_min_count ,"0")
| eval 10min_ago = if(last_time > exact(relative_time(now(),"-10min@min")) AND last_time <= exact(relative_time(now(),"-1min@min")) , per_min_count ,"0")
| stats max(last_time) AS _time, values(host) AS host, values(sourcetype) AS sourcetype, max(10min_ago) AS 10min_ago, max(20min_ago) AS 20min_ago, max(30min_ago) AS 30min_ago

Hope this helps to get you started ...

cheers, MuS

0 Karma

Richfez
SplunkTrust
SplunkTrust

Perhaps asking if the author(s) of timewrap can add a "minute" parameter instead of just hour, day, week, month, quarter and year. Then you could do

... mysearch earliest=-30m | stats [make all the calculations] | timewrap 10min

I don't recall how the app is packaged, if it's python or something you may even be able to hack it to make it do this.

0 Karma

ankycampy
Explorer

Hi All/Rich,

Tried timewrap, but not getting required result. Please find the complete search I am using below for getting consecutive time Success Percentage.

index=xxx sourcetype=abcd earliest=-20m latest=now | stats count(eval(STATUSCODE="ERROR" OR STATUSCODE="COMPLETE" OR STATUSCODE="COMPLETED")) as "RequestCount", count(eval(STATUSCODE="COMPLETE" or STATUSCODE ="COMPLETED")) as "SuccessCount", count(eval(STATUSCODE="ERROR")) as "ErrorCount" by ID COMPONENT | eval Result=round(((SuccessCount)/RequestCount)*100,2)." %" | appendcols [ search index=xxx sourcetype=abcd earliest=-10m latest=now | stats count(eval(STATUSCODE="ERROR" OR STATUSCODE="COMPLETE" OR STATUSCODE="COMPLETED")) as "RequestCountlatest", count(eval(STATUSCODE="COMPLETE" or STATUSCODE="COMPLETED")) as "SuccessCountlatest", count(eval(STATUSCODE="ERROR")) as "ErrorCountlatest" by ID COMPONENT ] | eval LatestResult=round(((SuccessCountlatest)/RequestCountlatest)*100,2)." %" | table ID COMPONENT SuccessCount ErrorCount RequestCount SuccessCountlatest ErrorCountlatest RequestCountlatest Result LatestResult | fillnull value=0

As you see, the main search runs between -20 to now time duration and subsearch runs between -10 to now time duration.
Surprisingly, I am getting some data in subsearch columns which I am not getting in main search columns.
I want Result and latestResult column data in respect to ID and COMPONENT for the respective duration.

For example:
If ID has A value and COMPONENT has B value in subsearch timeframe and showing percentage result in LatestResult column, then I should get the same or more value in main search timeframe as subsearch time frame falls under main search timeframe.

Basically, I need consecutive 10min time SuccessPercentage with respect to ID and Component. Please help to get the required result.
Thanks!!!!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...