nocturno
Reputation: 83
Splunk - Stats search count by day with percentage against day-total
The use-case I have is to provide the count of a certain error (searched by a certain pattern) by day and provide a percentage of such 'errored' requests against the total number of requests (searched without the error pattern) handled every day. Unable to form the appropriate query for it. The base queries are -
Get total counts for each day:
index=my_index | bucket _time span=day | stats count by _time
Get just errors for each day:
index=my_index "Error-Search-Pattern" | bucket _time span=day | stats count by _time
How do I combine the two counts to show up side-by-side and show the error:total percentage?
Thanks in advance.
Upvotes: 6
Views: 9338
Answers (1)
RichG
Reputation: 9916
Try this
index=my_index
| eval error=if(match(_raw,".*Error-Search-Pattern.*"), 1, 0)
| bucket _time span=1d
| stats count as total, count(eval(error==1)) as errored by _time
Upvotes: 2
Related Questions
- Splunk query for showing day wise percentage
- Splunk query - Total or Count by field
- Output counts grouped by field values by for date in Splunk
- Splunk percentage value for each category
- Count and sum in splunk
- How to add total and percentage column for splunk timechart command
- Sum of count with Splunk
- How to count the total number of events in a splunk search result?
- How to count results in Splunk and put them in a table?
- Splunk Query Count of Count