Splunk Search

How to edit my stats search to calculate a percentage based on a custom range?

justx001
Explorer

I have a search from web logs that I need to calculate a percentage based on a custom range.

Search example:

index=xxxxx env=prod | search message="1" as one, search message="2" as two, search message="3" as three, search message="4" as four | eventstats p90(timeTaken) as nTT | eval nTT < (TimeTaken * 0.9) | stats max(TimeTake), count(TimeTaken), avg(nTT) by group

This works for one value, but when I create a table with multiple rows, I get the same avg value for all rows which is wrong. Is there an easier way to calculate the percent value based on a custom data set?

0 Karma
1 Solution

sundareshr
Legend

Looks like you are missing a group-by in your eventstats. Try this query

 index=xxxxx env=prod | search message="1" as one, search message="2" as two, search message="3" as three, search message="4" as four | eventstats p90(timeTaken) as nTT by group | where nTT < (TimeTaken * 0.9) | stats max(TimeTake), count(TimeTaken), values(nTT) by group

View solution in original post

0 Karma

sundareshr
Legend

Looks like you are missing a group-by in your eventstats. Try this query

 index=xxxxx env=prod | search message="1" as one, search message="2" as two, search message="3" as three, search message="4" as four | eventstats p90(timeTaken) as nTT by group | where nTT < (TimeTaken * 0.9) | stats max(TimeTake), count(TimeTaken), values(nTT) by group
0 Karma

justx001
Explorer

i copy and pasted too many "search" statements, that is not how my query is but thought I should repost to clarify

 index=xxxxx env=prod | spath message | search message="1" as one, message="2" as two, message="3" as three, message="4" as four | eventstats p90(timeTaken) as nTT | eval nTT < (TimeTaken * 0.9) | stats max(TimeTake), count(TimeTaken), avg(nTT) by group 
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you sure this search works?? I don't think the | search and | eval works like this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...