Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why can't I get a failure rate field (percentage) to show up on chart?

Jbarr5695
Loves-to-Learn
‎10-11-2022 12:29 PM

Hello,

I was wondering if anyone could help me with this simple problem- I'm trying to graph the total amount of good calls, bad calls, as well as their fail rate percentages to show up on a chart. So far I've been able to chart the sums of good calls and bad calls according to the respective 'channel' that they were on, but the Fail_Rate percentage field that I've tried to define doesn't seem to be working out.

 

I've tried a few different methods of trying to plot the Fail_Rate but at this point I'm questioning whether or not I've defined the field correctly

 

 

 

source="C:\\Call_logs" termcodeID=1 OR termcodeID=34 OR termcodeID=7 OR termcodeID=9 OR termcodeID=21 OR termcodeID=27 OR termcodeID=30 OR termcodeID=32 OR termcodeID=34 ChanID!=0 | 
eval Good=if(termcodeID=1,"Good", "Bad") |
eventstats count(termcodeID) as totalcalls |
eval Fail_Rate=sum((Bad/totalcalls)*100,1) | 
chart count over ChanID by Good

 

 

 

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-11-2022 04:12 PM

Your chart command will not carry failure rate through and your calculations is wrong anyway . The simplest way is to calculate the totals AFTER the chart command

source="C:\\Call_logs" termcodeID=1 OR termcodeID=34 OR termcodeID=7 OR termcodeID=9 OR termcodeID=21 OR termcodeID=27 OR termcodeID=30 OR termcodeID=32 OR termcodeID=34 ChanID!=0 
| eval Good=if(termcodeID=1,"Good", "Bad") 
| chart count over ChanID by Good
``` So now you have a Good and Bad column for each ChanID and you
    can use eventstats to calculate the totals (faster than doing it before
    the chart command) ```
| eventstats sum(eval(Good+Bad)) as totalcalls 
``` Now calculate rate ```
| eval Fail_Rate=(Bad/totalcalls)*100
| fields - totalcalls

then you can add that field as a chart overlay to give the rate

0 Karma
Reply

jdunlea
Contributor
‎10-11-2022 01:03 PM

When you say you are trying to "plot" the Fail_Rate on a chart, I presume you are trying to chart this over time, by ChanID?

 

 

source="C:\\Call_logs" termcodeID=1 OR termcodeID=34 OR termcodeID=7 OR termcodeID=9 OR termcodeID=21 OR termcodeID=27 OR termcodeID=30 OR termcodeID=32 OR termcodeID=34 ChanID!=0 
| bucket _time span=1h |
eval good_call=if(termcodeID=1,1, 0) |
eval bad_call=if(good_call=1,0, 1) |
eventstats count(termcodeID) as totalcalls sum(bad_call) as bad_call_count by ChanID |
eval Fail_Rate=((bad_call_count/totalcalls)*100) | 
timechart span=1h max(Fail_Rate) as Fail_Rate by ChanID

 

If so, you can try something like this (but I have not seen your data so I cannot guarantee if this will work for you, but some variation of this should work).

 

(If this is not what you are trying to do, please clarify what you are trying to do and I will re-work the search to try and accommodate your use case)

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...