https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354725#M104971 <P>Changing the span didn't work unfortunately. However DalJeanis seems to have figured it out. Now to process how that worked... </P> <P>Thanks for the help, though!</P> Tue, 07 Nov 2017 20:26:59 GMT j4adam 2017-11-07T20:26:59Z https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354716#M104962 <P>Sorry if the description isn't clear. Essentially, I'm making a dashboard to display the trends of a project from a list of projects. Each project has multiple tests that can be run with each test having multiple possible results (pass, fail, warning). I currently have a dashboard showing the trend of all tests across time as a general trend using this:</P> <P><CODE>| timechart count by test_result | untable _time test_result count | eventstats sum(count) as Total by _time | eval perc=round(count*100/Total,2) | table _time test_result perc | xyseries _time test_result perc</CODE></P> <P>What I would like to do is below this have a timechart of each test showing the individual test results over time. The new <CODE>trellis</CODE> option seems like it should be the answer to my question, but I haven't had any luck.</P> <P>Basically the goal is the same search above but trellised out into individual timecharts per test_name rather than all of them in one.</P> Tue, 07 Nov 2017 19:03:40 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354716#M104962 j4adam 2017-11-07T19:03:40Z https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354717#M104963 <P>Have you tried running timechart after calculating percentage, and then using the trellis visualization?</P> <P><CODE>| timechart count by test_result | untable _time test_result count | eventstats sum(count) as Total by _time | eval perc=round(count*100/Total,2) | timechart values(perc) AS perc by test_result</CODE></P> Tue, 07 Nov 2017 19:23:18 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354717#M104963 nileena 2017-11-07T19:23:18Z https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354718#M104964 <P>Thanks for the reply! That still ends up creating a trellis of the 3 (timechart for fails, for passes for warnings) with the percentages of each. What I need is a timechart for each test that contains the trends of each of the pass/fail/warning in the same chart.</P> Tue, 07 Nov 2017 19:36:51 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354718#M104964 j4adam 2017-11-07T19:36:51Z https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354719#M104965 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/37517">@j4adam</a>, refer to the following FEATURE REQUEST for Trellis Layout with Timechart. Since _time becomes one of the series for depiction in Timechart, you can either use test_result or perc but not both while splitting the chart.</P> <P><A href="https://answers.splunk.com/answers/588081/feature-request-trellis-timechart-with-color-by-fi.html" target="_blank">https://answers.splunk.com/answers/588081/feature-request-trellis-timechart-with-color-by-fi.html</A></P> Tue, 29 Sep 2020 16:35:29 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354719#M104965 niketn 2020-09-29T16:35:29Z https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354720#M104966 <P>Oh got it. So I assume you have another field (say, test) which indicates the test name or ID.<BR /> Also, assuming you can have 3 values for test_result: pass, fail and warning.<BR /> In which case, you could try:</P> <P><CODE>| timechart count(test_result="pass") AS pass_count count(test_result="fail") AS fail_count count(test_result="warning") AS warning_count count AS Total by test | eval perc_pass=round(pass_count*100/Total,2) | eval perc_fail=round(fail_count*100/Total,2) | eval perc_warning=round(warning_count*100/Total,2) | timechart values(perc_pass) AS perc_pass values(perc_fail) AS perc_fail values(perc_warning) AS perc_warning by test</CODE></P> <P>Does this make sense?</P> Tue, 07 Nov 2017 19:50:31 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354720#M104966 nileena 2017-11-07T19:50:31Z https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354721#M104967 <P>It does make sense, kind of. I have a field named test_name. I see what you're trying to do here, but I'm not entirely sure what the result is when I run it. I've ended up with a trellis of test_names with values charted (big step here) but it's just "Total" and "warning" but Warning is always 0 and Total has spikes that go back to 0 immediate after a single point after this portion: <CODE>| eval perc_pass=round(pass_count*100/Total,2) | eval perc_fail=round(fail_count*100/Total,2) | eval perc_warning=round(warning_count*100/Total,2)</CODE> If I add the other stuff it does not work unless I have just a single value and that also only shows one result.</P> Tue, 29 Sep 2020 16:38:46 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354721#M104967 j4adam 2020-09-29T16:38:46Z https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354722#M104968 <P>Could you try specifying the span for both time charts? (The same span for both)</P> Tue, 07 Nov 2017 20:14:25 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354722#M104968 nileena 2017-11-07T20:14:25Z https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354723#M104969 <P>Try something like this as your base search...</P> <PRE><CODE>your search here | bin _time span=15m | stats count as resultcount by _time test_name test_result | eventstats sum(resultcount) as totalcount by _time test_name | eval {test_result} = round(resultcount/totalcount,2) | fields - resultcount totalcount | stats values(*) as * by _time test_name </CODE></PRE> <P>Adjust the span as needed.</P> Tue, 07 Nov 2017 20:16:04 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354723#M104969 DalJeanis 2017-11-07T20:16:04Z https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354724#M104970 <P>wow, that did it!</P> Tue, 07 Nov 2017 20:25:53 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354724#M104970 j4adam 2017-11-07T20:25:53Z https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354725#M104971 <P>Changing the span didn't work unfortunately. However DalJeanis seems to have figured it out. Now to process how that worked... </P> <P>Thanks for the help, though!</P> Tue, 07 Nov 2017 20:26:59 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-number-of-timecharts-of-field-values-by-another-field/m-p/354725#M104971 j4adam 2017-11-07T20:26:59Z