Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my search so the eval function to ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mtrochym
Observer
01-05-2017
01:25 PM
I am looking to find the errorpercentage of ERROR_CODES vs the number of "ACTIVITY="logins" per division (we have 4 of them) in a timechart. Below is my current search, which works well for only one division. You will notice that my count(eval is excluding two specific errorcodes.)
index=something ERROR_CODE="*" ACTIVITY="*" division=NY
|timechart count(eval(ERROR_CODE!="N/A" AND ERROR_CODE!="900")) as EC , count(eval(ACTIVITY="logins")) as Search
| eval ErrorPercent= round(((EC)/Search)*100) |fields - Search - EC
This works great to show me the "ErrorPercent" for one division but when I try adding 'by division' into my timechart (like this)
|timechart count(eval(ERROR_CODE!="N/A" AND ERROR_CODE!="900")) as EC , count(eval(ACTIVITY="logins")) as Search by division
I only end up with fields "EC: division" & "Search: division" per division. The search doesn't seem to go further and show me the "ErrorPercent" field per division.
Any help would be appreciated.
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-05-2017
02:18 PM
Give this a try
index=something ERROR_CODE="*" ACTIVITY="*" division=*
|timechart count(eval(ERROR_CODE!="N/A" AND ERROR_CODE!="900")) as EC , count(eval(ACTIVITY="logins")) as Search by division
| foreach EC* [eval "ErrorPercent<<MATCHSTR>>"= round((('<<FIELD>>')/'Search<<MATCHSTR>>')*100) ] |fields - Search* - EC*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-05-2017
02:18 PM
Give this a try
index=something ERROR_CODE="*" ACTIVITY="*" division=*
|timechart count(eval(ERROR_CODE!="N/A" AND ERROR_CODE!="900")) as EC , count(eval(ACTIVITY="logins")) as Search by division
| foreach EC* [eval "ErrorPercent<<MATCHSTR>>"= round((('<<FIELD>>')/'Search<<MATCHSTR>>')*100) ] |fields - Search* - EC*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mtrochym
Observer
01-06-2017
10:42 AM
That worked! Thank you so much!!
Get Updates on the Splunk Community!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
