topic Re: timechart calculated grouped value in Splunk Search

timechart calculated grouped value

ppediaditis — Mon, 28 Sep 2020 09:43:17 GMT

I have a query in the form

eventtype="search" | stats count as search_count by host | appendcols [search application=flights eventtype="pay_success" | stats count as buy_count by host] | eval conversion=(buy_count/search_count)*100

which works fine and gives me conversions per host,
however, if I want to chart this over time replacing stats with timechart , it doesn't work the way I expect it to.

Is there any way to timechart a calculated value grouped by another value?

Thanks!

Re: timechart calculated grouped value

BobM — Thu, 07 Jul 2011 10:22:50 GMT

I think you could do this by using the bucket function and stats

eventtype="search" | bucket _time span=1h | stats count as search_count by host _time | appendcols [search application=flights eventtype="pay_success" | bucket _time span=1h | stats count as buy_count by host _time ] | eval conversion=(buy_count/search_count)*100 | timechart first(conversion) by host

The bucket command groups data into hour blocks (you can change that to any period you wish) and then the stats now also groups by host and _time so it should now be possible to timechart.

Re: timechart calculated grouped value

ppediaditis — Thu, 07 Jul 2011 10:42:46 GMT

Nice! However, it doesn't allow me to use timechart with something other than a function (in this case conversion), is there some other syntax I should use?

Re: timechart calculated grouped value

BobM — Thu, 05 Jan 2012 23:38:19 GMT

Timechart has to use a function and the result has to be numerical but the function could be for example "values(field)".

In the above, conversion was a field name and not a function and I knew it only had one value so I used first as the function.