- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Result of a calc in a timechart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm trying to make an availability graph based on the below calculation:
index="MY_INDEX" host="MY_HOST" NOT "UNWANTED_VHOST" | stats count(eval(status="500" OR status="501" OR status="502" OR status="503" OR status="504" OR status="505" OR status="506" OR status="507" OR status="508" OR status="509" OR status="510" OR status="511")) as error count(eval(status="200")) as good | head 100 | eval calc = (100/(good+error))*good | stats sum(calc) as Disponibilité
The calculation is Ok but I'm not coming to create a timechart where the evolution of "Disponibilité" is calculated day by day.
Do you have any idea of how I can do that ?
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your quick answers @efavreau, @nickhillscpl 🙂
With your help I've found the solution for my case and I put it below if it's can help somebody :
index="MY_INDEX" host="MY_HOST" NOT "UNWANTED_VHOST" | timechart span=1Month count(eval(status>500)) as error count(eval(status="200")) as good | head 100 | eval calc = (100/(good+error))*good | table _time calc
Have a nice day
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your quick answers @efavreau, @nickhillscpl 🙂
With your help I've found the solution for my case and I put it below if it's can help somebody :
index="MY_INDEX" host="MY_HOST" NOT "UNWANTED_VHOST" | timechart span=1Month count(eval(status>500)) as error count(eval(status="200")) as good | head 100 | eval calc = (100/(good+error))*good | table _time calc
Have a nice day
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not exactly sure how you want to represent this data, maybe this is what you are looking for, but in any case its a simpler search.
Try the following and let us know how you would like to represent it.
index="MY_INDEX" host="MY_HOST" NOT "UNWANTED_VHOST"
| eval result=case(status>500, "error", status=200, "good",1=1,"unknown")
| timechart count by result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@tmeriadec Try changing your last line to achieve what you're looking for. The Timechart command is similar to stats, but includes _time in its use automatically, whereas using stats you would have to account for this on your own. The span=1d is to set your time bucketing into 1 day bins.
| timechart span=1d sum(calc) AS Disponibilité
If this reply helps you, an upvote would be appreciated.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
