- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Ratio between two distinct counts on timechart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, was here yesterday, made minor improvements...
I have a set of data where each message sent corresponds to an input event from an app. Every message contains a user_id. Some of these messages also contain the field log_info, which indicates that whatever happened in the input was an error. I want to find out how many users in the past hour (or whatever timeline) encountered an error, and display this as a percent versus all active users over the hour, and finally display this on a timechart. So far I have:
source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id) as errs | rename errs as query]/users
Which does everything I want it to, except displaying as a chart. When I replace stats with timechart Splunk doesn't seem to like it. I'm very new to Splunk, but as far as I know stats and timechart do the same thing, except with different formatting. I've tried about a million different things at this point but can't think of where else to go.
Thanks for any help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, stats and timechart do not do the same thing. A timechart always will have _time in the X axis, while you can tell stats what to chart on.
I also have the feeling that what you are after is much simpler than what your code is doing.
Not sure if I understood what you want, but maybe this will help you:
source=app | timechart span=1h dc(user_id) by log_info | rename NULL as ok | addtotals
If you configure the chart view as a stacked column chart, you will see that you will have a distinct count per hour of the users that had problems, the users that did not have errors and the totals. I guess from there you can easily obtain your percentage 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, stats and timechart do not do the same thing. A timechart always will have _time in the X axis, while you can tell stats what to chart on.
I also have the feeling that what you are after is much simpler than what your code is doing.
Not sure if I understood what you want, but maybe this will help you:
source=app | timechart span=1h dc(user_id) by log_info | rename NULL as ok | addtotals
If you configure the chart view as a stacked column chart, you will see that you will have a distinct count per hour of the users that had problems, the users that did not have errors and the totals. I guess from there you can easily obtain your percentage 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exactly what I was looking for, thanks very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
another option would be: create a new field 'error' and do an eval depending on the presence of a value in the field log_info . That way you will have all the error ones together in your timechart
source=app eval error=case(isnotnull(log_info),"TRUE",isnull(log_info)"FALSE") | timechart span=1h dc(user_id) by error | addtotals
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
