Splunk Search

Understanding bins and spans

rnayshulis
New Member

Hi,
here is a query that is supposed to calculate a % of failed operations over a period of time (A message 'end' is sent with a status that could be 'failed'). Please excuse incorrect or non technical terminology, I'm a very new to this. I am trying to make sure I understand the meaning of bin and span in this particular search. Does this mean that I'm putting all of my events into chunks by 1 hour (so all events from 11am until noon are in one bucket, all events from noon to 1pm are in the next bucket, etc). Then I calculate the total number of events per each bucket (count as complete), calculate the total number of events per each bucket where status=failed (eval(status="failed")). Then for the timechart command, I add up all these totals from each bucket over 1 day and calculate my percentage. Is that a correct understanding? Thank you!

For example, if my data is like this:
event 1:
timestamp: June 11, 2018 9am
message: end
status: success
event 2:
timestamp: June 11, 2018 9:15am
message: end
status: failed

event 3:
timestamp: June 11, 2018 10am
message: end
status: success
event 3:
timestamp: June 11, 2018 10:15am
message: end
status: success

Then my failure rate % is (1+0)/(2+2)*100 = 25%,

index="index" "message=end" 
          | bin span=1h _time 
          | stats count as complete,
            count(eval(status="failed")) as failed by _time
          | timechart span=1d eval(100*sum(eval(failed))/sum(eval(complete))) as "Failed %"
0 Karma

logloganathan
Motivator

look like you are making thing very difficult.
Please use the below query. it will work

index="index" "message: end"
| timechart span=1h count as complete
| appendcols [ search index="index" "message: end" "status: failed"
| timechart span=1h count as failed ]
| eval percentage=failed*100/complete as "Failed %"

Please let me know if any issues

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...