https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321752#M96135 <P>Sorry for the confusion. Thanks, @DalJeanis. Your solution works!</P> Tue, 25 Jul 2017 15:15:09 GMT jbrenner 2017-07-25T15:15:09Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321742#M96125 <P>Hello,</P> <P>I have the following query which gives me the percentage of successful orders for the time period selected in the drop-down:</P> <P>index=abc "search string 1" | STATS COUNT AS ATTEMPTED_ORDERS | appendcols [search index=abc "search string 2" | STATS COUNT AS SUCCESSFUL_ORDERS] | eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE PERCENT_SUCCESSFUL</P> <P>I would like to use the timechart keyword to obtain this value (PERCENT_SUCCESSFUL) for each day over the last month, so I can display it as a chart.</P> <P>Thanks!<BR /> Jonathan</P> Tue, 29 Sep 2020 14:59:33 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321742#M96125 jbrenner 2020-09-29T14:59:33Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321743#M96126 <P>try below</P> <P>index=abc earliest=-30d@d latest=now "search string 1" | STATS COUNT AS ATTEMPTED_ORDERS | appendcols [search index=abc earliest=-30d@d latest=now "search string 2" | STATS COUNT AS SUCCESSFUL_ORDERS] | eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | timechart span=1d count by PERCENT_SUCCESSFUL</P> Tue, 29 Sep 2020 14:59:39 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321743#M96126 sbbadri 2020-09-29T14:59:39Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321744#M96127 <P>Try this:</P> <PRE><CODE>index=abc "search string 1" | timechart span=1d count AS ATTEMPTED_ORDERS | appendcols [search index=abc "search string 2" | timechart span=1d count AS SUCCESSFUL_ORDERS] | stats values(*) AS * BY _time | eval PERCENT_SUCCESSFUL = (coalesce(SUCCESSFUL_ORDERS, 0)/coalesce(ATTEMPTED_ORDERS, SUCCESSFUL_ORDERS)) * 100 | table _time PERCENT_SUCCESSFUL </CODE></PRE> Thu, 20 Jul 2017 20:30:46 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321744#M96127 woodcock 2017-07-20T20:30:46Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321745#M96128 <P>Try this - </P> <PRE><CODE>| multisearch [search index=abc "search string 1" | eval Attempts = 1 | fields Attempts ] [search index=abc "search string 2" | eval Successes = 1 | fields Successes ] | bin _time span=1d | stats sum(*) as * by _time | eval Attempts=if(Successes&gt;Attempts, Successes, Attempts) | eval Percent_Successful = round(100*Successes/Attempts,0) | timechart span=1d max(Percent_Successful) </CODE></PRE> Thu, 20 Jul 2017 20:41:22 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321745#M96128 DalJeanis 2017-07-20T20:41:22Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321746#M96129 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/55793">@sbbadri</a> - Not a bad try, but that's not going to work because the initial <CODE>stats</CODE> command has a single result, not one result per day, so there is no field <CODE>_time</CODE> remaining to go into the <CODE>timechart</CODE> command. </P> <P>Go ahead and try again, you're on the right track. (no peeking at my version or <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/1406">@woodcock</a>'s version, they are not perfect so there's plenty of room for you to do better than us.</P> <P>Also, when you change your strategy to fix the _time issue, I would suggest avoiding <CODE>appendcols</CODE> since it will match up the records based on their order rather than based on their dates. You'll need to <CODE>bin</CODE> the <CODE>_time</CODE> to days match them up by <CODE>_time</CODE> either with a <CODE>stats</CODE> command or a <CODE>join</CODE>.</P> <P>I said "don't peek at woodcock's."</P> Tue, 29 Sep 2020 15:01:59 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321746#M96129 DalJeanis 2020-09-29T15:01:59Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321747#M96130 <P>Hey, under what circumstances is <CODE>timechart</CODE> ensured of coming up with the same start date for those two (sub) searches? I'm thinking that if there are no "search string 2" on the first day that there is a "search string 1", that the records will be matched up wrong.</P> Thu, 20 Jul 2017 20:51:18 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321747#M96130 DalJeanis 2017-07-20T20:51:18Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321748#M96131 <P>Good point, I have updated my answer.</P> Thu, 20 Jul 2017 21:02:52 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321748#M96131 woodcock 2017-07-20T21:02:52Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321749#M96132 <P>Hi Woodcock,</P> <P>Thanks for the answer.<BR /> When I run your query, I get the following error:</P> <PRE><CODE>Error in 'bin' command: Invalid argument: 'span' </CODE></PRE> <P>Thanks!<BR /> Jonathan</P> Mon, 24 Jul 2017 17:16:57 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321749#M96132 jbrenner 2017-07-24T17:16:57Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321750#M96133 <P>Formatting error; get rid of the spaces around the equals-sign <CODE>span=1d</CODE>. If updated my answer to fix this.</P> Tue, 25 Jul 2017 15:04:03 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321750#M96133 woodcock 2017-07-25T15:04:03Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321751#M96134 <P>Sorry @DalJeanis; I didn't check to see if OP was right about his attribution to me (he wasn't) until after I edited your answer. I also pulled the <CODE>bin</CODE> out of each search.</P> Tue, 25 Jul 2017 15:06:43 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321751#M96134 woodcock 2017-07-25T15:06:43Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321752#M96135 <P>Sorry for the confusion. Thanks, @DalJeanis. Your solution works!</P> Tue, 25 Jul 2017 15:15:09 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321752#M96135 jbrenner 2017-07-25T15:15:09Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321753#M96136 <P>A more efficient answer (all in 1 search) is this:</P> <PRE><CODE>index=abc "search string 1" OR "search string 2" | bin _time span=1d | stats count(eval(searchmatch("search string 1"))) AS ATTEMPTED_ORDERS count(eval(searchmatch("search string 2"))) AS SUCCESSFUL_ORDERS BY _time | eval PERCENT_SUCCESSFUL = (coalesce(SUCCESSFUL_ORDERS, 0)/coalesce(ATTEMPTED_ORDERS, SUCCESSFUL_ORDERS)) * 100 | table _time PERCENT_SUCCESSFUL </CODE></PRE> Tue, 25 Jul 2017 15:26:13 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321753#M96136 woodcock 2017-07-25T15:26:13Z https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321754#M96137 <P>@woodcock - How DARE you fix my sloppy code?</P> <P>The NERVE of some people.</P> <P>Heh.</P> Tue, 25 Jul 2017 17:32:12 GMT https://community.splunk.com/t5/Splunk-Search/Monthly-distribution-of-query-results/m-p/321754#M96137 DalJeanis 2017-07-25T17:32:12Z