- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why is my table search not displaying the appl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
i am trying to display success,error and others with percentage in a table but application name is not displaying with below search.
can we tune below search to display application name?
index=Myindex "|METRICS|" cf_org_name="CCN" cf_space_name="lab" cf_app_name="*"|stats count(eval(ResponseCode=200))
as Success, count(eval(ResponseCode!=200 AND ResponseCode!=400 AND ResponseCode!=401 AND ResponseCode!=403)) as Error, count(eval(ResponseCode=400 OR ResponseCode=403 OR ResponseCode=500)) as Others, count(ResponseCode) as Total
| eval Percent_Error=round(Error/ Total * 100, 1)| eval Percent_Success=round(Success/ Total * 100, 1)
|eval Percent_Others=round(Others/ Total * 100, 1)| eval Percent_Success=round(Percent_Success,2)|eval Percent_Error=round(Percent_Error,2)
|eval Percent_Others=round(Percent_Others,2)|rename _time as Time
| table cf_app_name Total Success Error Others Percent_Error Percent_Success Percent_Others
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am able get application name in table,i corrected the query
can we represent same search or using below search and represent in different visualization other than table?
index=Myindex "|METRICS|" cf_org_name="CCN" cf_space_name="lab" cf_app_name="*"|stats count(eval(ResponseCode=200))
as Success, count(eval(ResponseCode!=200 AND ResponseCode!=400 AND ResponseCode!=401 AND ResponseCode!=403)) as Error, count(eval(ResponseCode=400 OR ResponseCode=403 OR ResponseCode=500)) as Others, count(ResponseCode) as Total by cf_app_name
| eval Percent_Error=round(Error/ Total 100, 1)| eval Percent_Success=round(Success/ Total 100, 1)
|eval Percent_Others=round(Others/ Total 100, 1)| eval Percent_Success=round(Percent_Success,2)|eval Percent_Error=round(Percent_Error,2)
|eval Percent_Others=round(Percent_Others,2)|rename _time as Time
| table cf_app_name Total Success Error Others Percent_Error Percent_Success Percent_Others
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am able get application name in table,i corrected the query
can we represent same search or using below search and represent in different visualization other than table?
index=Myindex "|METRICS|" cf_org_name="CCN" cf_space_name="lab" cf_app_name="*"|stats count(eval(ResponseCode=200))
as Success, count(eval(ResponseCode!=200 AND ResponseCode!=400 AND ResponseCode!=401 AND ResponseCode!=403)) as Error, count(eval(ResponseCode=400 OR ResponseCode=403 OR ResponseCode=500)) as Others, count(ResponseCode) as Total by cf_app_name
| eval Percent_Error=round(Error/ Total 100, 1)| eval Percent_Success=round(Success/ Total 100, 1)
|eval Percent_Others=round(Others/ Total 100, 1)| eval Percent_Success=round(Percent_Success,2)|eval Percent_Error=round(Percent_Error,2)
|eval Percent_Others=round(Percent_Others,2)|rename _time as Time
| table cf_app_name Total Success Error Others Percent_Error Percent_Success Percent_Others
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should click Accept on your answer to close this question and then ask a new question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sure,i got the answer.accepted
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad you were able to resolve your own issue. Based on your data, one string key and multiple number data points, you could create a column chart or bar chart for it. One problem that you may face is that you're displaying both count as percentage, and scale for both could be very different, I would suggest to limit your visualization to any one type, either count or percentage fields. (in last table command either use | table cf_app_name Total Success Error Others OR use | table cf_app_name Percent_Error Percent_Success Percent_Others
The line |rename _time as Time is dead code as after stats there is no _time field.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
