Solved: How to write a search to calculate percentages for...

trunghung · ‎03-01-2016

I am trying to write a search that reports the percentage of total users impacted from log data.

// All users will have this line recorded
initializing user blah blah

// success user will have this line recorded
init succeeded

// fail users will have a few variations
init failed A
init failed B

How do I write a search that counts the occurrences of these strings and calculate a percentage from there? Also preferably, I would like to use the userid field to only count each user once.

The report would look something like

Total User | Success Rate | Failure Rates
53334      |     99%      |    1%

I tried using the append command to combine the counting of each result, but it is too slow. I was hoping for a more streamline answer. Thank you very much

chimell · ‎03-02-2016

Hi
This will help

index=_* status=*|stats count(user) as Total_user|appendcols[search index=_* status=success|stats count(user) as success_user]|appendcols[search index=_* status=failure|stats count(user) as fail_user]|eval successRate=((success_user/Total_user)*100)."%", failureRate=((fail_user/Total_user)*100)."%"|table Total_user successRate failureRate

Look at the result

View solution in original post

fdi01 · ‎03-02-2016

your_base_search |stats count AS "T",count(eval(Type=="ERROR")) AS Failure|eval pF=round((Failure/T)*100), "Success Rate"=100-pF|table T,"Success Rate",pF|rename pF as "Failure Rates",  T as "Total User"

chimell · ‎03-02-2016

Hi
This will help

index=_* status=*|stats count(user) as Total_user|appendcols[search index=_* status=success|stats count(user) as success_user]|appendcols[search index=_* status=failure|stats count(user) as fail_user]|eval successRate=((success_user/Total_user)*100)."%", failureRate=((fail_user/Total_user)*100)."%"|table Total_user successRate failureRate

Look at the result

chimell · ‎03-03-2016

Good Thanks

s2_splunk · ‎03-01-2016

In the absence of real sample logs, something like this should get you close:

yourSearch 
 | stats count(eval(match(Type, "ERROR"))) AS f, count as t 
 | eval s = t-f, percF = (f/t)*100, percS=100-percF 
 | rename t as Total, percF as FailureRate, percS as SuccessRate 
 | table Total, FailureRate, SuccessRate

s2_splunk · ‎03-01-2016

Do you have the status (failed/succeeded) available as a field? It's tricky to help without knowing what you have to work with. If you have a field, it will be pretty simple to stats count successes and failures, and calculate the totals and percentages from those two values.

sameera123 · ‎03-01-2016

yoursearch |stats count AS "Total",count(eval(Type=="ERROR")) AS Failure|eval Faliurerate=(Failure/Total)*100|eval successrate=100-Faliurerate|table Total,successrate,Failurerate

trunghung · ‎03-01-2016

yeah I do have a field called Type=ERROR when it is a failure.

How to write a search to calculate percentages for success and failure rates from my user log data?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!