- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Success vs Entry (Effectiveness interval problem)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I'm having trouble creating effectiveness indicators (focused on the end user) because some cases begin at the end of and interval (minute 59 of the 1 hour interval #1) and those cases end successfully inside the next interval (1 hour interval #2). This means that sometimes the success cases in the interval # 2 might be 120 and the entries of the same interval might be 100, giving us a 120% effectiveness.
I know that some cases the entries of the interval #2 will also end up in the interval # 3, and so on. But even so I can't trust this number.
Using join will allow me to be certain on the cases that starts and end inside the interval, but I will be blind on the cases that end up successfully on the next interval, so I will have a different problem.
Any ideas?
Thank's for your time!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doing this properly will depend on defining what you mean by effectiveness.
YOU need to make the data answer the exact question you are asking.
It sounds like you are asking, "of the cases that started during this interval, what percentage were completed within 60 minutes?"
That number, calculated properly, cannot ever be over 100%.
To answer that question, try something like this...
index=A host=B script_name=C
| eval entry_time=if(description="Entry",_time,null())
| eval success_time=if(description="Success",_time,null())
| stats min(entry_time) as entry_time max(success_time) as success_time by sid
| eval duration = success_time - entry_time
| where isnotnull(duration)
| eval success=if(duration<=3600,100,0)
| bin entry_time as _time span=1h
| stats avg(success) as effectiveness by _time
Above code assumes that sid is the identifying number of a case, and that cases that have a beginning but no end or vice versa are to be ignored.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doing this properly will depend on defining what you mean by effectiveness.
YOU need to make the data answer the exact question you are asking.
It sounds like you are asking, "of the cases that started during this interval, what percentage were completed within 60 minutes?"
That number, calculated properly, cannot ever be over 100%.
To answer that question, try something like this...
index=A host=B script_name=C
| eval entry_time=if(description="Entry",_time,null())
| eval success_time=if(description="Success",_time,null())
| stats min(entry_time) as entry_time max(success_time) as success_time by sid
| eval duration = success_time - entry_time
| where isnotnull(duration)
| eval success=if(duration<=3600,100,0)
| bin entry_time as _time span=1h
| stats avg(success) as effectiveness by _time
Above code assumes that sid is the identifying number of a case, and that cases that have a beginning but no end or vice versa are to be ignored.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are several ways to correlate events and find out interval, however, you will have to provide us with mock data with dummy (if not actual) field names. Also you will have to provide us with your current query so that community can assist you better.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the feedback.
It's like this:
index=A host=B script_name=C
| dedup sid
| timechart span=30m count(eval(description="Entry")) as entries count(eval(description="Success")) as success
| eval effectiveness=round(100*success/(entries),2)
| fields _time effectiveness
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will still need to provide mock data with sid and desciption so that your use case is clear. Also can you explain effectiveness calculation?
Seems like all your data will start with description=Entry which may lead to description=Successful or not.
index=A host=B script_name=C (description="Entry" OR description="Success") sid=*
| stats count as eventcount first(_time) as EntryTime last(_time) as SuccessTime values(description) as description by sid
| search eventcount>1 description="Entry" description="Success"
| eval duration=SuccessTime-EntryTime
| eval _time=EntryTime
| fields - SuccessTime
| makeresults | eval message= "Happy Splunking!!!"
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
