https://community.splunk.com/t5/Splunk-Search/Result-of-a-calc-in-a-timechart/m-p/467824#M131689 <P>Hello,</P> <P>I'm trying to make an availability graph based on the below calculation:</P> <P>index="MY_INDEX" host="MY_HOST" NOT "UNWANTED_VHOST" | stats count(eval(status="500" OR status="501" OR status="502" OR status="503" OR status="504" OR status="505" OR status="506" OR status="507" OR status="508" OR status="509" OR status="510" OR status="511")) as error count(eval(status="200")) as good | head 100 | eval calc = (100/(good+error))*good | stats sum(calc) as Disponibilité</P> <P>The calculation is Ok but I'm not coming to create a timechart where the evolution of "Disponibilité" is calculated day by day.</P> <P>Do you have any idea of how I can do that ?</P> <P>Regards,</P> Wed, 30 Sep 2020 04:07:34 GMT tmeriadec 2020-09-30T04:07:34Z https://community.splunk.com/t5/Splunk-Search/Result-of-a-calc-in-a-timechart/m-p/467824#M131689 <P>Hello,</P> <P>I'm trying to make an availability graph based on the below calculation:</P> <P>index="MY_INDEX" host="MY_HOST" NOT "UNWANTED_VHOST" | stats count(eval(status="500" OR status="501" OR status="502" OR status="503" OR status="504" OR status="505" OR status="506" OR status="507" OR status="508" OR status="509" OR status="510" OR status="511")) as error count(eval(status="200")) as good | head 100 | eval calc = (100/(good+error))*good | stats sum(calc) as Disponibilité</P> <P>The calculation is Ok but I'm not coming to create a timechart where the evolution of "Disponibilité" is calculated day by day.</P> <P>Do you have any idea of how I can do that ?</P> <P>Regards,</P> Wed, 30 Sep 2020 04:07:34 GMT https://community.splunk.com/t5/Splunk-Search/Result-of-a-calc-in-a-timechart/m-p/467824#M131689 tmeriadec 2020-09-30T04:07:34Z https://community.splunk.com/t5/Splunk-Search/Result-of-a-calc-in-a-timechart/m-p/467825#M131690 <P>@tmeriadec Try changing your last line to achieve what you're looking for. The <CODE>Timechart</CODE> command is similar to <CODE>stats</CODE>, but includes _time in its use automatically, whereas using <CODE>stats</CODE> you would have to account for this on your own. The <CODE>span=1d</CODE> is to set your time bucketing into 1 day bins.</P> <PRE><CODE>| timechart span=1d sum(calc) AS Disponibilité </CODE></PRE> Mon, 17 Feb 2020 14:49:16 GMT https://community.splunk.com/t5/Splunk-Search/Result-of-a-calc-in-a-timechart/m-p/467825#M131690 efavreau 2020-02-17T14:49:16Z https://community.splunk.com/t5/Splunk-Search/Result-of-a-calc-in-a-timechart/m-p/467826#M131691 <P>I'm not exactly sure how you want to represent this data, maybe this is what you are looking for, but in any case its a simpler search.</P> <P>Try the following and let us know how you would like to represent it.</P> <PRE><CODE>index="MY_INDEX" host="MY_HOST" NOT "UNWANTED_VHOST" | eval result=case(status&gt;500, "error", status=200, "good",1=1,"unknown") | timechart count by result </CODE></PRE> Mon, 17 Feb 2020 14:53:45 GMT https://community.splunk.com/t5/Splunk-Search/Result-of-a-calc-in-a-timechart/m-p/467826#M131691 nickhills 2020-02-17T14:53:45Z https://community.splunk.com/t5/Splunk-Search/Result-of-a-calc-in-a-timechart/m-p/467827#M131692 <P>Thanks for your quick answers @efavreau, @nickhillscpl <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>With your help I've found the solution for my case and I put it below if it's can help somebody :</P> <PRE><CODE>index="MY_INDEX" host="MY_HOST" NOT "UNWANTED_VHOST" | timechart span=1Month count(eval(status&gt;500)) as error count(eval(status="200")) as good | head 100 | eval calc = (100/(good+error))*good | table _time calc </CODE></PRE> <P>Have a nice day</P> Mon, 17 Feb 2020 16:20:14 GMT https://community.splunk.com/t5/Splunk-Search/Result-of-a-calc-in-a-timechart/m-p/467827#M131692 tmeriadec 2020-02-17T16:20:14Z