Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I compare the ratio of errors to 10 minutes ago for all our app_pools?

daniel333
Builder
‎06-24-2016 03:41 PM

I would like to get a ratio of errors by app_pool, and then compare it to 5, 10, 1hr ago? 

tag=java | 
stats count as "Events" by app_pool | 
appendcols [search 
tag=java tag=problem |
stats count as "Problems" by app_pool]

I am thinking a running summary index counting errors and counting events by app_pool, then a search which compares things after the fact? Is there a better way to do this?

0 Karma
Reply

woodcock
Esteemed Legend
‎06-24-2016 08:01 PM

You need the timewrap app:

https://splunkbase.splunk.com/app/1645/

0 Karma
Reply

sundareshr
Legend
‎06-24-2016 03:58 PM

Try this

tag=java earliest=@d | timechart span=1h count as Events count(eval(tag=problem)) as Problems | eval ratio=round(Problems/Events, 2)
0 Karma
Reply

daniel333
Builder
‎06-24-2016 04:18 PM

Hmm, the evals there don't seem to work. Returning nothing.

0 Karma
Reply

sundareshr
Legend
‎06-24-2016 04:39 PM

Sorry, problem needs to be in quotes. count(eval(tag="problem"))

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...