topic How could I chart ratio of counts of field values? in Splunk Search

How could I chart ratio of counts of field values?

jchowdown — Mon, 11 Feb 2019 22:38:22 GMT

Hi, suppose my events contain this field with two possible values:

Ok=True or
Ok=False

Every hour, I'll have a certain number ('TTT') of True values and a certain number ('FFF') of False values.

I want to create a chart that shows the failure rate (FFF/(TTT+FFF)) for any given time bucket size.

Is that possible please?

Thanks in advance.

Re: How could I chart ratio of counts of field values?

chrisyounger — Mon, 11 Feb 2019 23:44:18 GMT

Yep. Do this |eval rate = (FFF/(TTT+FFF)) | timechart span=1h avg(rate) as rate

You can set span to whatever you want.

Re: How could I chart ratio of counts of field values?

woodcock — Tue, 12 Feb 2019 08:03:12 GMT

Like this:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| bin _time span=1h
| chart count BY _time Ok
| eval pct=100*False/(False+True)
| timechart span=1h first(pct) AS pct

Re: How could I chart ratio of counts of field values?

jchowdown — Tue, 12 Feb 2019 21:25:29 GMT

Sorry, I'm still a noob when it comes to splunk, but how would I actually obtain the queries for FFF and TTT?
I tried various combinations of this (and the answer below) but nothing gets charted

Re: How could I chart ratio of counts of field values?

woodcock — Wed, 13 Feb 2019 01:00:00 GMT

I had a mistake and edited my answer to fix it. Try again.

Re: How could I chart ratio of counts of field values?

jchowdown — Wed, 13 Feb 2019 21:24:04 GMT

This is perfect, thanks! Works like a charm!