Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

eval values of a formula in a timechart command

mtrochym
Observer
‎02-23-2017 07:02 AM

Hi,
I am using the below query to timechart the values of offers (STATUS=ACCEPTED) from midnight, of the current day, and compare them to lastweek. I had found this query on these forums, plugged it in and it works beautifully!

index="offers" STATUS="ACCEPTED" earliest=-7d@d

| eval StartTime=relative_time(now(), "@d")

| eval Series=case(
_time >=StartTime, "today",
_time <= relative_time(now(), "-6d@d"), "LastWk")

| timechart span=5m count by Series

| eval Time = strftime(_time, "%H:%M")

| chart sum(LastWk) as LastWeek, sum(today) as Today by Time
| eval Today=if(Today==0, "", Today)

My problem is I am trying to insert the below "eval Percent..." so I can compare "Percent" today vs lastweek, in the above "Series".
count(STATUS) AS total, count(eval(STATUS="ACCEPTED")) AS Accepted
eval Percent=((Accepted/total)*100)

I tried timewrap, but while that is nice, it is a super slow process and only compares a 24h "moving window"

I tried doing things like:
| timechart span=5m count(STATUS) AS total, count(eval(STATUS="ACCEPTED")) AS Accepted by Series

|eval Percent=((Accepted/total)*100)

and a few other combinations but none seemed to work.
Any help would be appreciated!

Tags (1)
0 Karma
Reply

mtrochym
Observer
‎02-27-2017 04:37 PM

Hmm. I think I see where you're going with this but I tried this and unfortunately it did not work. The search took about 45min to run and didn't return any results.

0 Karma
Reply

somesoni2
Revered Legend
‎02-23-2017 08:08 AM

Give this a try

index="offers" STATUS="*" earliest=-7d@d 
| eval StartTime=relative_time(now(), "@d") 
| eval Series=case(
_time >=StartTime, "today",
_time <= relative_time(now(), "-6d@d"), "LastWk") 
| where isnotnull(Series)
| eval _time=if(Series="LastWk",_time+(86400*7),_time)
| bucket span=5m  _time
| chart count(STATUS) AS total, count(eval(STATUS="ACCEPTED")) AS Accepted by _time Series
| eval 'Percent: Today'=(('Accepted: Today'/'total: Today')*100)
| eval 'Percent: LastWk'=(('Accepted: LastWk'/'total: LastWk')*100)
| eval Time = strftime(_time, "%H:%M") | fields -_time
| table Time Percent* *
0 Karma
Reply

jamojamil
New Member
‎02-27-2017 05:17 PM

yesssss great

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...