https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498511#M138900 <P>I'm currently attempting to make a 6 month trend of multiple OS' compliance percentages into one timechart, but am running into trouble separating it by Operating system (the field containing this information is "check_checklist_name")</P> <P>Basically, I'd like for it to be one timechart that includes specific OS that I specify (via check_checklist_name) and then shows them all on a line chart with their trends over the past 6 months (so 6 lines on one 6 month trend chart). Would I need to include a bin as well to ensure the % are accurate from a few months ago and are not deduped out?</P> <P>Currently, I have the following:</P> <P>index=bigfix sourcetype="bigfix:compliance" check_checklist_name="Windows 2008" OR check_checklist_name="Windows 2012" OR check_checklist_name="Windows 7" OR check_checklist_name="Windows 10" OR check_checklist_name="RHEL 6" OR check_checklist_name="RHEL 7" state="passed" OR state="failed" <BR /> | dedup comp_id check_id <BR /> | timechart span=1mon count(eval(state="passed")) AS Passed, count(eval(state="failed")) AS Failed <BR /> | eval Percent_Compliance=(100-((Failed/(Passed+Failed))*100))<BR /> | table _time Percent_Compliance</P> <P>This gets me the overall percentage every month, but it does not break it down by the Operating System. Any help would be appreciated.</P> Wed, 30 Sep 2020 02:29:26 GMT giventofly08 2020-09-30T02:29:26Z https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498511#M138900 <P>I'm currently attempting to make a 6 month trend of multiple OS' compliance percentages into one timechart, but am running into trouble separating it by Operating system (the field containing this information is "check_checklist_name")</P> <P>Basically, I'd like for it to be one timechart that includes specific OS that I specify (via check_checklist_name) and then shows them all on a line chart with their trends over the past 6 months (so 6 lines on one 6 month trend chart). Would I need to include a bin as well to ensure the % are accurate from a few months ago and are not deduped out?</P> <P>Currently, I have the following:</P> <P>index=bigfix sourcetype="bigfix:compliance" check_checklist_name="Windows 2008" OR check_checklist_name="Windows 2012" OR check_checklist_name="Windows 7" OR check_checklist_name="Windows 10" OR check_checklist_name="RHEL 6" OR check_checklist_name="RHEL 7" state="passed" OR state="failed" <BR /> | dedup comp_id check_id <BR /> | timechart span=1mon count(eval(state="passed")) AS Passed, count(eval(state="failed")) AS Failed <BR /> | eval Percent_Compliance=(100-((Failed/(Passed+Failed))*100))<BR /> | table _time Percent_Compliance</P> <P>This gets me the overall percentage every month, but it does not break it down by the Operating System. Any help would be appreciated.</P> Wed, 30 Sep 2020 02:29:26 GMT https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498511#M138900 giventofly08 2020-09-30T02:29:26Z https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498512#M138901 <P>Have you tried <CODE>... | timechart span=1mon count(eval(state="passed")) AS Passed, count(eval(state="failed")) AS Failed BY check_checklist_name | ...</CODE> ?</P> Mon, 07 Oct 2019 13:48:15 GMT https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498512#M138901 richgalloway 2019-10-07T13:48:15Z https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498513#M138902 <P>I've also noticed when I attempt to round the percentage to 11 decimal it breaks the query. Could someone please explain to me why that is?</P> <P><CODE>enter code here</CODE>index=bigfix sourcetype="bigfix:compliance" check_checklist_name="Windows 2008" OR check_checklist_name="Windows 2012" OR check_checklist_name="Windows 7" OR check_checklist_name="Windows 10" OR check_checklist_name="RHEL 6" OR check_checklist_name="RHEL 7" state="passed" OR state="failed"<BR /> | dedup comp_id check_id<BR /><BR /> | timechart span=1mon count(eval(state="passed")) AS Passed, count(eval(state="failed")) AS Failed <BR /> | eval Percent_Compliance=(100-((Failed/(Passed+Failed))*100)) <BR /> | eval Compliance=round(Compliance,1) <BR /> | table _time Percent_Compliance<CODE>enter code here</CODE></P> Wed, 30 Sep 2020 02:29:30 GMT https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498513#M138902 giventofly08 2020-09-30T02:29:30Z https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498514#M138903 <P>That did move me in the right direction, It now displays all 7 of the respective OS's into a total of 14 columns (1 for passed: OS and one for failed:OS for each OS), but no percentages.</P> <P>Would I need to then right a massive eval statement where it becomes</P> <PRE><CODE> | timechart span=1mon count(eval(state="passed")) AS Passed, count(eval(state="failed")) AS Failed by check_checklist_name | eval Perc_RHEL7=(100-((Failed: RHEL 7*/(Passed: RHEL 7*+Failed: RHEL 7*))*100)) ...etc for all OS </CODE></PRE> <P>I've also noticed when I try to round to the nearest .1% it breaks the query as well...any thoughts? Thanks so much for getting me past the initial mental block.<BR /> Same with trying to add a bin so that it looks at everything in 1 month intervals without deduping previous months.</P> <P>Apologies for the amount of questions, these items have just been grating me for a while now where they work sometimes, but don't work other times.</P> Mon, 07 Oct 2019 14:05:22 GMT https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498514#M138903 giventofly08 2019-10-07T14:05:22Z https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498515#M138904 <P>You only need one <CODE>eval</CODE> statement to compute percentages for each OS. The one in your original query should work.<BR /> Adding <CODE>round</CODE> should be painless: <CODE>... | eval Percent_Compliance=round(Percent_Compliance,1) | ...</CODE>.<BR /> I'm not sure what you mean by "without deduping previous months". Dedup should not be needed.</P> Mon, 07 Oct 2019 14:31:59 GMT https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498515#M138904 richgalloway 2019-10-07T14:31:59Z https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498516#M138905 <P>Sorry, it looks like the difference between dedup and not is super negligible so I can simply remove the dedup and the bin.</P> <P>However; when I change the syntax to:</P> <PRE><CODE>index=bigfix sourcetype="bigfix:compliance" check_checklist_name="Windows 2008 " OR check_checklist_name="Windows 2012" OR check_checklist_name="Windows 2012" OR check_checklist_name="Windows 7" OR check_checklist_name="Windows 10" OR check_checklist_name="RHEL 6" OR check_checklist_name="RHEL 7" state="passed" OR state="failed" | timechart span=1mon count(eval(state="passed")) AS Passed, count(eval(state="failed")) AS Failed by check_checklist_name | eval Percent_Compliance=(100-((Failed/(Passed+Failed))*100)) | eval Percent_Compliance=round(Percent_Compliance,1) </CODE></PRE> <P>It shows the chart like before with 14 total columns for Passed and Failed for each OS (such as: Failed: RHEL6, Failed: RHEL7, Passed: RHEL6 etc), broken down by 6 months worth of rows. it does not compute the percentage though</P> <P>Thanks again for all of your help.</P> Mon, 07 Oct 2019 14:51:15 GMT https://community.splunk.com/t5/Splunk-Search/Timecharts-and-Multiple-Operating-Systems/m-p/498516#M138905 giventofly08 2019-10-07T14:51:15Z