https://community.splunk.com/t5/Splunk-Search/creating-a-report-that-shows-indexedtime-vs-logged-time-for-each/m-p/330478#M98373 <P>You can't use a <CODE>where</CODE> clause that eliminates all the events under 2 minutes, and then later get a percentage of the total, because you don't have the total. </P> <P>Here's one way...</P> <PRE><CODE>earliest=-24h@h latest=@h index=nameoftheindex | eval GT2=if(_indextime-_time&gt;=120,1,0) | bin _time span=1h | stats avg(GT2) as PctGT2 by _time </CODE></PRE> <P>...or just ...</P> <PRE><CODE>earliest=-24h@h latest=@h index=nameoftheindex | eval GT2=if(_indextime-_time&gt;=120,1,0) | timechart avg(GT2) as PercentGreaterThan2minutes </CODE></PRE> Thu, 08 Jun 2017 18:30:25 GMT DalJeanis 2017-06-08T18:30:25Z https://community.splunk.com/t5/Splunk-Search/creating-a-report-that-shows-indexedtime-vs-logged-time-for-each/m-p/330477#M98372 <P>I want to create a chart separated by hours (24hours) that shows the number of data that took more than 2 mins to be indexed (indextime-time) and converted into percent. The percent would be the total event that took over 2mins to be indexed divided by the total number of events for that hour.(for that 1 hour span)</P> <P>This is the basic search I'm using to calculate the events over 2mins <BR /> index=nameoftheindex | eval time=_time | eval indextime=_indextime | eval diff=indextime-time | where diff&gt;=120 | convert ctime(indextime) | convert ctime(time) fields sourcetype indextime time diff</P> <P>Any help would be helpful. Thanks</P> Tue, 29 Sep 2020 14:20:32 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-report-that-shows-indexedtime-vs-logged-time-for-each/m-p/330477#M98372 mrtolu6 2020-09-29T14:20:32Z https://community.splunk.com/t5/Splunk-Search/creating-a-report-that-shows-indexedtime-vs-logged-time-for-each/m-p/330478#M98373 <P>You can't use a <CODE>where</CODE> clause that eliminates all the events under 2 minutes, and then later get a percentage of the total, because you don't have the total. </P> <P>Here's one way...</P> <PRE><CODE>earliest=-24h@h latest=@h index=nameoftheindex | eval GT2=if(_indextime-_time&gt;=120,1,0) | bin _time span=1h | stats avg(GT2) as PctGT2 by _time </CODE></PRE> <P>...or just ...</P> <PRE><CODE>earliest=-24h@h latest=@h index=nameoftheindex | eval GT2=if(_indextime-_time&gt;=120,1,0) | timechart avg(GT2) as PercentGreaterThan2minutes </CODE></PRE> Thu, 08 Jun 2017 18:30:25 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-report-that-shows-indexedtime-vs-logged-time-for-each/m-p/330478#M98373 DalJeanis 2017-06-08T18:30:25Z https://community.splunk.com/t5/Splunk-Search/creating-a-report-that-shows-indexedtime-vs-logged-time-for-each/m-p/330479#M98374 <P>Thanks DalJeanis that worked. How do I add "%" at the end of PctGT2 results and also move the decimal space to places to the right?</P> Fri, 09 Jun 2017 01:16:52 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-report-that-shows-indexedtime-vs-logged-time-for-each/m-p/330479#M98374 mrtolu6 2017-06-09T01:16:52Z https://community.splunk.com/t5/Splunk-Search/creating-a-report-that-shows-indexedtime-vs-logged-time-for-each/m-p/330480#M98375 <P>earliest=-24h@h latest=@h index=nameoftheindex <BR /> | eval GT2=if(_indextime-_time&gt;=120,1,0)<BR /> | bin _time span=1h<BR /> | stats avg(GT2) as PctGT2 by _time<BR /> |eval PctGT2 = round(PctGT2*100,2)."%"</P> Tue, 29 Sep 2020 14:21:11 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-report-that-shows-indexedtime-vs-logged-time-for-each/m-p/330480#M98375 DalJeanis 2020-09-29T14:21:11Z