- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Timechart with success and failure and failure...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timechart with success and failure and failure/success percentage, grouped by Server
I've two patterns, say like this - "successPattern" and "failurePattern". I want to make a timechart comparing success vs failure and failure percentage, server wise. I've attached the expected output. Here host1, host2 are the servers, available with field name "host"
Could someone please help ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so you can't have a multi-tiered table, like you show in your example, in Splunk. The closest you can get is to name the columns with host1-failures, host1-success, etc.
something like this might work:
...|timechart span=1m count(successPattern) as success count(failurePattern) as failures by host|foreach failures* [eval failure_perc<<MATCHSTR>>='<<FIELD>>'/('<<FIELD>>'+'success<<MATCHSTR>>')*100]|fields _time *host1 *host2
if your success/failures is in the same field, you'll need to adjust the timechart commands to use something like count(eval(field="successPattern")) as success
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not getting fully. What will be at the start, before the time chart pipe ? To be clear, successPattern/failurePattern is not a field name, but rather a generic pattern, they may not even be in same field.
For example successpattern is "functionName status is:0" and failurepattern is "functionname completed with error" . Also the value of host field changes according to the success/failure patterns and it's not limited to host1 and host2, so can't hard-code in the search. I'm trying to get a generic query.
host1-success,host2-success columns are absolutely fine.
Simply my requirement is, "provide server wise failure/success count and failure percentage, where 2 patterns for success and failure will be provided"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i would probably create a field called successPattern and one called failurePatten based on what you've outlined. I'm not sure if "funcationName status is:0" is from raw events, but let's say you can use that.
base search|eval successPattern=if(like(_raw,"%functionName status is:0%"),1,null())|eval failurePattern=if(like(_raw,"%functionname completed with error%"),1,null())|timechart span=1m count(successPattern) as success count(failurePattern) as failures by host|foreach failures* [eval failure_perc<<MATCHSTR>>='<<FIELD>>'/('<<FIELD>>'+'success<<MATCHSTR>>')*100]|fields _time *host1 *host2
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
