Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Query Help =(

dmw7752
Engager
‎07-31-2013 03:49 PM

I am trying to monitor the percentages of 500's per endpoint of my api. I currently am returning all of the information and want to only show results if the percentage goes over 5%. (this way I can alert whenever the report is ran and there are greater than 0 results.

sourcetype=My_Api_Access_Log

| eval path=My_Path

| eval endpoint = method." ".path

| eval iserror=if(status=500,1,0)

| eval err_user=if(iserror==1, user_id, null())

| stats sum(iserror) as errors, count as total, dc(err_user) as users by endpoint

| where errors != 0

| eval percent=round(100*errors/total,2)."%"

| fields endpoint, errors, total, percent, users

| sort -percent

This is working great, but when I add:

| where percent > 5

I get no results even though I know I have endpoints over 5% error rates.
Any ideas?

Tags (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Gilberto_Castil
Splunk Employee
Splunk Employee
‎07-31-2013 04:02 PM

When you append the symbol "%" to your percent field, you change it's type from numerical to string. Comparing a string to a numeric value will render no results. This akin to comparing "5%" > 5.

Change

 | eval percent=round(100*errors/total,2)."%"

to this:

| eval percent=round(100*errors/total,2)

And add this to the end of your search.

| eval percent=percent."%"

View solution in original post

Reply
Solved! Jump to solution
Solution

Gilberto_Castil
Splunk Employee
Splunk Employee
‎07-31-2013 04:02 PM

When you append the symbol "%" to your percent field, you change it's type from numerical to string. Comparing a string to a numeric value will render no results. This akin to comparing "5%" > 5.

Change

 | eval percent=round(100*errors/total,2)."%"

to this:

| eval percent=round(100*errors/total,2)

And add this to the end of your search.

| eval percent=percent."%"
Reply
Solved! Jump to solution

dmw7752
Engager
‎07-31-2013 04:08 PM

Oh my God...Im so stupid. Thank you. I cam back to this search after writing it a month ago and forgot I added that for aesthetics. Fresh pair of eyes. You sir, saved my sanity.

http://24.media.tumblr.com/022c89f083711e52d47f5dc75db33db6/tumblr_mocdvvCOSs1srujzdo1_500.gif

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...