https://community.splunk.com/t5/Splunk-Search/How-to-create-top-command-results-in-timechart/m-p/320693#M95824 <P>Yep, it works.</P> <P>If I add in a <CODE>|timechart values(perc) by errorCode</CODE> it creates a visualization.</P> <P>Thanks!</P> Wed, 07 Mar 2018 12:06:51 GMT brajaram 2018-03-07T12:06:51Z https://community.splunk.com/t5/Splunk-Search/How-to-create-top-command-results-in-timechart/m-p/320691#M95822 <P>I'm trying to make a timechart to show percentage of error rates over a given time period. What I am looking for from a visualization perspective is a line chart that shows for any binned time period, what the total count of a specific error was, and what the overall percentage that was, and to have the chart be drawn based on the percentage.</P> <P>Ideally, I'd have both counts and percents on the same chart, but percentage is the important one so I can calculate percentage error over a given timeperiod.</P> <P>So far, my query is as follows: </P> <PRE><CODE>Initial Search to create the necessary variables|table errorCode _time|bin span=5m _time| eventstats count as total by _time | stats count values(total) as total by _time, errorCode </CODE></PRE> <P>errorCode contains a variety of values, with one value corresponding to success. In theory this should give me a table that looks like </P> <PRE><CODE>_time errorCode count total Bucket1 ErrorCode1 X X+Y+Z Bucket1 ErrorCode2 Y X+Y+Z Bucket1 Success Z X+Y+Z </CODE></PRE> <P>From there I would be able to use an <CODE>eval perc=count/total*100</CODE> to be able to build the timechart. However, the total column is incorrect and does not result in the correct values. What would be a better way to build this query out, and is it possible to have the chart be drawn based on percent, but have in any given tooltip percent and count values?</P> Tue, 06 Mar 2018 19:48:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-top-command-results-in-timechart/m-p/320691#M95822 brajaram 2018-03-06T19:48:33Z https://community.splunk.com/t5/Splunk-Search/How-to-create-top-command-results-in-timechart/m-p/320692#M95823 <P>Try this</P> <PRE><CODE>Initial Search to create the necessary variables | bin span=5m _time | table errorCode _time | stats count by _time, errorCode | eventstats sum(count) as total by _time | eval perc=round((count*100)/total,2) </CODE></PRE> <P>let me know if this helps!</P> Wed, 07 Mar 2018 05:49:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-top-command-results-in-timechart/m-p/320692#M95823 mayurr98 2018-03-07T05:49:49Z https://community.splunk.com/t5/Splunk-Search/How-to-create-top-command-results-in-timechart/m-p/320693#M95824 <P>Yep, it works.</P> <P>If I add in a <CODE>|timechart values(perc) by errorCode</CODE> it creates a visualization.</P> <P>Thanks!</P> Wed, 07 Mar 2018 12:06:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-top-command-results-in-timechart/m-p/320693#M95824 brajaram 2018-03-07T12:06:51Z