Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Success vs Entry (Effectiveness interval problem)

cttorres
Explorer
‎06-12-2017 12:04 PM

Hi!

I'm having trouble creating effectiveness indicators (focused on the end user) because some cases begin at the end of and interval (minute 59 of the 1 hour interval #1) and those cases end successfully inside the next interval (1 hour interval #2). This means that sometimes the success cases in the interval # 2 might be 120 and the entries of the same interval might be 100, giving us a 120% effectiveness.

I know that some cases the entries of the interval #2 will also end up in the interval # 3, and so on. But even so I can't trust this number.

Using join will allow me to be certain on the cases that starts and end inside the interval, but I will be blind on the cases that end up successfully on the next interval, so I will have a different problem.

Any ideas?

Thank's for your time!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-12-2017 01:58 PM

Doing this properly will depend on defining what you mean by effectiveness.

YOU need to make the data answer the exact question you are asking.

It sounds like you are asking, "of the cases that started during this interval, what percentage were completed within 60 minutes?"

That number, calculated properly, cannot ever be over 100%.

To answer that question, try something like this...

index=A host=B script_name=C
| eval entry_time=if(description="Entry",_time,null())
| eval success_time=if(description="Success",_time,null())
| stats min(entry_time) as entry_time max(success_time) as success_time by sid
| eval duration = success_time - entry_time
| where isnotnull(duration) 
| eval success=if(duration<=3600,100,0)
| bin entry_time as _time span=1h
| stats avg(success) as effectiveness by _time

Above code assumes that sid is the identifying number of a case, and that cases that have a beginning but no end or vice versa are to be ignored.

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-12-2017 01:58 PM

Doing this properly will depend on defining what you mean by effectiveness.

YOU need to make the data answer the exact question you are asking.

It sounds like you are asking, "of the cases that started during this interval, what percentage were completed within 60 minutes?"

That number, calculated properly, cannot ever be over 100%.

To answer that question, try something like this...

index=A host=B script_name=C
| eval entry_time=if(description="Entry",_time,null())
| eval success_time=if(description="Success",_time,null())
| stats min(entry_time) as entry_time max(success_time) as success_time by sid
| eval duration = success_time - entry_time
| where isnotnull(duration) 
| eval success=if(duration<=3600,100,0)
| bin entry_time as _time span=1h
| stats avg(success) as effectiveness by _time

Above code assumes that sid is the identifying number of a case, and that cases that have a beginning but no end or vice versa are to be ignored.

Reply
Solved! Jump to solution

niketn
Legend
‎06-12-2017 01:13 PM

There are several ways to correlate events and find out interval, however, you will have to provide us with mock data with dummy (if not actual) field names. Also you will have to provide us with your current query so that community can assist you better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

cttorres
Explorer
‎06-12-2017 01:31 PM

Thank you for the feedback.

It's like this:

index=A host=B script_name=C
| dedup sid
| timechart span=30m count(eval(description="Entry")) as entries count(eval(description="Success")) as success
| eval effectiveness=round(100*success/(entries),2)
| fields _time effectiveness

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-12-2017 02:04 PM

You will still need to provide mock data with sid and desciption so that your use case is clear. Also can you explain effectiveness calculation?

Seems like all your data will start with description=Entry which may lead to description=Successful or not.

index=A host=B script_name=C (description="Entry" OR description="Success") sid=*
| stats count as eventcount first(_time) as EntryTime last(_time) as SuccessTime values(description) as description by sid
| search eventcount>1 description="Entry" description="Success"
| eval duration=SuccessTime-EntryTime 
| eval _time=EntryTime 
| fields - SuccessTime
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...