Splunk Search

Understanding bins and spans

rnayshulis
New Member

Hi,
here is a query that is supposed to calculate a % of failed operations over a period of time (A message 'end' is sent with a status that could be 'failed'). Please excuse incorrect or non technical terminology, I'm a very new to this. I am trying to make sure I understand the meaning of bin and span in this particular search. Does this mean that I'm putting all of my events into chunks by 1 hour (so all events from 11am until noon are in one bucket, all events from noon to 1pm are in the next bucket, etc). Then I calculate the total number of events per each bucket (count as complete), calculate the total number of events per each bucket where status=failed (eval(status="failed")). Then for the timechart command, I add up all these totals from each bucket over 1 day and calculate my percentage. Is that a correct understanding? Thank you!

For example, if my data is like this:
event 1:
timestamp: June 11, 2018 9am
message: end
status: success
event 2:
timestamp: June 11, 2018 9:15am
message: end
status: failed

event 3:
timestamp: June 11, 2018 10am
message: end
status: success
event 3:
timestamp: June 11, 2018 10:15am
message: end
status: success

Then my failure rate % is (1+0)/(2+2)*100 = 25%,

index="index" "message=end" 
          | bin span=1h _time 
          | stats count as complete,
            count(eval(status="failed")) as failed by _time
          | timechart span=1d eval(100*sum(eval(failed))/sum(eval(complete))) as "Failed %"
0 Karma

logloganathan
Motivator

look like you are making thing very difficult.
Please use the below query. it will work

index="index" "message: end"
| timechart span=1h count as complete
| appendcols [ search index="index" "message: end" "status: failed"
| timechart span=1h count as failed ]
| eval percentage=failed*100/complete as "Failed %"

Please let me know if any issues

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...