Splunk Search

top 10 vendors having high total volume and high failure

arjitgoswami
Explorer

Hi All,

My requirement was we needed to analyse issues with vendors who are failing to perform and for this, I needed a list of top 10 vendors who have a high number of failures and high total volumes of work. I can't use failure percentage here. The reason being one of our vendors had just 1 order which he failed to deliver, so now his failure percentage is 100%. But, we don't need to consider him for our analysis. Can somebody help in this regards?

Thanks
Arjit.

Tags (1)
0 Karma
1 Solution

elliotproebstel
Champion

I'd approach this one of two ways:

  1. Determine a cutoff for what it means to have "high total volumes of work" - that could be 10 orders or 100 orders; it's all contextual, based on your business. But choose a number. Let's say you choose 100. Then I'd collect all events relating to orders and failures, count how many orders were placed per vendor using something like |eventstats count(eval(order_placed=1)) AS order_count by vendor, and then filter down to vendors with >100 orders by | where order_count>100. Then I'd use a stats call to count the failures by vendor and finally use top to order them by failure_count: top 10 failure_count.

  2. If it's not possible to define a priori what it means to have "high total volumes of work", then I would do something similar to order the vendors by order_count, but instead of filtering by order_count>100, I'd do some analysis to retain only the top 15% or 25% of vendors by order_count and then use the same analysis as above to get to the top 10 by failure_count.

If you'd like help actually implementing the syntax for either of these, I'd be happy to help. Just provide some examples of events that characterize orders and events that characterize failures.

View solution in original post

0 Karma

arjitgoswami
Explorer

@cusello @tiagofbmm @elliotproebstel : Thanks all for your help. I understand this wouldn't be straight forward. So we have asked our client to give us more details around this & to quantify what would be high volume of work according to him

0 Karma

elliotproebstel
Champion

I'd approach this one of two ways:

  1. Determine a cutoff for what it means to have "high total volumes of work" - that could be 10 orders or 100 orders; it's all contextual, based on your business. But choose a number. Let's say you choose 100. Then I'd collect all events relating to orders and failures, count how many orders were placed per vendor using something like |eventstats count(eval(order_placed=1)) AS order_count by vendor, and then filter down to vendors with >100 orders by | where order_count>100. Then I'd use a stats call to count the failures by vendor and finally use top to order them by failure_count: top 10 failure_count.

  2. If it's not possible to define a priori what it means to have "high total volumes of work", then I would do something similar to order the vendors by order_count, but instead of filtering by order_count>100, I'd do some analysis to retain only the top 15% or 25% of vendors by order_count and then use the same analysis as above to get to the top 10 by failure_count.

If you'd like help actually implementing the syntax for either of these, I'd be happy to help. Just provide some examples of events that characterize orders and events that characterize failures.

0 Karma

tiagofbmm
Influencer

Well I would still do the same math, calculating the percentage of failures but I'd also keep a look at how large is the sample size. Statistically and really roughly speaking, a sample of 30 is the minimum used to adjust something to the Gaussian distribution.

So have that percentage to be shown based on a percentage of failure over a threshold AND sample size > another_threshold

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi arjitgoswami,
could you share some sample, to better understand you need?
anyway, after calculation your number of failures you could filter results for number_of_failures more than 1 (or another threeshold) and then calculate the other percentages.
Whith the few information I have, I cannot suggest more!
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...