https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43845#M10337 <P>The timechart can't perform the eval math, my mistake. As a quick fix to get you going, do the search as you originally had it, but add "by _time" to the end of your stats command. That will produce the time values you need for the timechart.</P> Tue, 15 Feb 2011 08:22:12 GMT Ron_Naken 2011-02-15T08:22:12Z https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43838#M10330 <P>Hi,</P> <P>I am trying to plot the percentage data over a period of span 1h.</P> <P>host="abc" sourcetype="xyz" ("Eurl" ) | eval series1 = "Request" | append [search host="abc" sourcetype="xyz" ("Esuccess") | eval series2 = "Success"] | stats count(series1) as s1, count(series2) as s2 | eval pct=(s2*100/s1) | timechart span=1h avg(pct)</P> <P>I am able to see the PCT value in one row, which is not helping the cause. I am looking for PCT data for every 1 hour.</P> <P>This query does not return result if I add timechart. Not sure about the reason.</P> <P>Please help.</P> Mon, 14 Feb 2011 15:36:05 GMT https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43838#M10330 aahadqj 2011-02-14T15:36:05Z https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43839#M10331 <P>Try it like this:</P> <PRE><CODE>host="abc" sourcetype="xyz" ("Eurl" ) | eval series1 = "Request" | append [search host="abc" sourcetype="xyz" ("Esuccess") | eval series2 = "Success"] | timechart span=1h count(series2)*100/count(series1) </CODE></PRE> <P>Your <STRONG>stats</STRONG> output doesn't contain the temporal values you need for the <STRONG>timechart</STRONG>. Easier than doing a "<STRONG>by _time</STRONG>" in your <STRONG>stats</STRONG>, you can just perform the math with <STRONG>timechart</STRONG> -- it supports the same functions as <STRONG>stats</STRONG>.</P> Mon, 14 Feb 2011 15:54:57 GMT https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43839#M10331 Ron_Naken 2011-02-14T15:54:57Z https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43840#M10332 <P>It's quite common to do complex things like this with <CODE>join</CODE> and <CODE>append</CODE>. In the end it's easier to do with a disjunction (OR) and a little bit of eval magic. Also by eliminating the subsearch you'll speed things up quite a bit.</P> <P><CODE>host="abc" sourcetype="xyz" (Eurl OR Esuccess) | eval series = if(searchmatch("eurl","Request",series)) | eval series = if(searchmatch("Esuccess","Success",series)) | timechart count by series | eval pct=Success*100/Request | fields - Success request</CODE></P> <P>Here we just take all the events glommed together from both "Eurl" and "Esuccess", and we use eval to paint a field called 'series' onto the events, which will have values "Request" and "Success". Specifically the <CODE>if</CODE> function in eval will evaluate the first argument, which is a <CODE>searchmatch</CODE> function. If the <CODE>searchmatch</CODE> matches, <CODE>if</CODE> will return the second argument. Otherwise <CODE>if</CODE> returns the third argument. Then we let plain old timechart split this up by the two values. And then a little eval on the end I think should give you the percent you want. </P> <P>minor notes: your <CODE>stats count</CODE> was essentially throwing away all your time information. Delete the timechart clause in your original searhc and run it again, then picture giving those output rows to timechart, as though those two rows were the only events. You'll then understand why timechart was doing what it was doing. </P> Mon, 14 Feb 2011 15:55:40 GMT https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43840#M10332 sideview 2011-02-14T15:55:40Z https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43841#M10333 <P>The expression - count(series2)*100/count(series1) is not returning any result in the splunk. Do you know what could be the reason?</P> Mon, 14 Feb 2011 18:29:22 GMT https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43841#M10333 aahadqj 2011-02-14T18:29:22Z https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43842#M10334 <P>Getting this error - "Error in 'eval' command: The expression is malformed. Expected )". </P> <P>Please help</P> Mon, 14 Feb 2011 18:34:30 GMT https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43842#M10334 aahadqj 2011-02-14T18:34:30Z https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43843#M10335 <P>Yes, nick had a typo with a mismatched parenthesis, but all you need to do to fix it is to match them up correctly.</P> Tue, 15 Feb 2011 02:46:37 GMT https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43843#M10335 gkanapathy 2011-02-15T02:46:37Z https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43844#M10336 <P>Thanks Gerald. my bad for flying blind.</P> Tue, 15 Feb 2011 04:53:38 GMT https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43844#M10336 sideview 2011-02-15T04:53:38Z https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43845#M10337 <P>The timechart can't perform the eval math, my mistake. As a quick fix to get you going, do the search as you originally had it, but add "by _time" to the end of your stats command. That will produce the time values you need for the timechart.</P> Tue, 15 Feb 2011 08:22:12 GMT https://community.splunk.com/t5/Splunk-Search/timechart-percentage-data-not-working/m-p/43845#M10337 Ron_Naken 2011-02-15T08:22:12Z