topic Re: Show the a particular percentage using Single Value in Splunk Search

Show the a particular percentage using Single Value

JRamirezEnosys — Wed, 06 Jun 2018 07:00:39 GMT

Hello Splunkers,

I've been trying to show in a Single Value Visualization 3 different percentage values.

My search looks into a single field of Email Actioning called "Act" , they are Accepted (Acc), Rejected (Rej) and Bounced (Bnc)

Best I was able to do was

index=email_logs Dir=inbound | timechart span=1d count by Act | untable _time Act count | eventstats sum(count) as Total by _time | eval perc=round(count*100/Total,2) | table _time Act perc | xyseries _time Act perc

Whenever I send it as a Single Value it will show the Highest Value, Accepted on this case, but I don't see a way to show the Rejected or Bounced as a separate Single Value representation.

Could I get some advice,

Thank you.

Re: Show the a particular percentage using Single Value

FrankVl — Wed, 06 Jun 2018 07:56:18 GMT

I guess you have two options to achieve that:

If you're on a recent version of Splunk (6.6.x or 7.x), you could use the Trellis layout, to split by Act and show multiple single value visualizations in 1 go.
Create separate dashboard panels for each of the 3 data points.

Re: Show the a particular percentage using Single Value

JRamirezEnosys — Wed, 06 Jun 2018 23:43:14 GMT

Thank you for your response FranKVI,

I am currently running on 6.5.2 which does not allow me to use Trellis.

I would go for 3 separate dashboard panels but how do I get the correct percentage to show on every search?

I need a Search String to find the percentage of Acc, Bnc and Rej separately, is this doable ?

Re: Show the a particular percentage using Single Value

niketn — Tue, 29 Sep 2020 19:55:57 GMT

@JRamirezEnosys, you would need to use Post Processing as your base search is transforming results as Time Series trend of percent of Each category of Act.

On similar lines to your question, I have used run anywhere example based on Splunk's _internal index which has a field called log_level with three values INFO WARN ERROR. I have changed your query to use addtotals with row=t to get row-wise total and then used foreach command to perform similar eval for INFO ERROR and WARN fields and calculate the total. This search has been used as as base search and fields _time and ERROR are retained for Error Trend Single Value Panel and similarly for other to series.

Please find below the Run anywhere Simple XML Dashboard code for the attached screenshot.

<form>
  <label>Show Separate Series in Single Value</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <title>Base Search All Results (Displaying Only For Demo)</title>
      <input type="time" token="tokTime" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table>
        <search id="baseAllLogLevelPercentWithTime">
          <query>index=_internal sourcetype=splunkd log_level=* 
| timechart span=1d count by log_level 
| addtotals row=t col=f 
| foreach "ERROR" "INFO" "WARN" 
    [| eval "<<FIELD>>"= round(('<<FIELD>>'/Total)*100,2) ]
| fields - Total</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <title>INFO % - Single Value Trend</title>
        <search base="baseAllLogLevelPercentWithTime">
          <query>| table _time INFO</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0xd93f3c","0xf7bc38","0x65a637"]</option>
        <option name="rangeValues">[90,95]</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
      <single>
        <title>WARN % - Single Value Trend</title>
        <search base="baseAllLogLevelPercentWithTime">
          <query>| table _time WARN</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x65a637","0xf7bc38","0xd93f3c"]</option>
        <option name="rangeValues">[5,10]</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
      <single>
        <title>Error % - Single Value Trend</title>
        <search base="baseAllLogLevelPercentWithTime">
          <query>| table _time ERROR</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x65a637","0xf7bc38","0xd93f3c"]</option>
        <option name="rangeValues">[5,10]</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
  </row>
</form>

Re: Show the a particular percentage using Single Value

FrankVl — Thu, 07 Jun 2018 08:05:06 GMT

I guess the following would work, based of your current query:

define this as base search:

index=email_logs Dir=inbound | timechart span=1d count by Act | untable _time Act count | eventstats sum(count) as Total by _time | eval perc=round(count*100/Total,2)

panel search (example for Acc, use similar for the other 2):

| where Act = "Acc" | table _time,perc

But you might want to take a look at the solution suggested by @niketnilay for a slightly different approach.

Re: Show the a particular percentage using Single Value

niketn — Thu, 07 Jun 2018 12:05:29 GMT

@JRamirezEnosys, just want to add that special characters < and > got escaped while posting on Splunk Answers. So you should use & lt; & lt;FIELD & gt; & gt; instead of <<FIELD>>

Refer to documentation for foreach command related details.