Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

eval values of a formula in a timechart command

mtrochym
Observer
‎02-23-2017 07:02 AM

Hi,
I am using the below query to timechart the values of offers (STATUS=ACCEPTED) from midnight, of the current day, and compare them to lastweek. I had found this query on these forums, plugged it in and it works beautifully!

index="offers" STATUS="ACCEPTED" earliest=-7d@d

| eval StartTime=relative_time(now(), "@d")

| eval Series=case(
_time >=StartTime, "today",
_time <= relative_time(now(), "-6d@d"), "LastWk")

| timechart span=5m count by Series

| eval Time = strftime(_time, "%H:%M")

| chart sum(LastWk) as LastWeek, sum(today) as Today by Time
| eval Today=if(Today==0, "", Today)

My problem is I am trying to insert the below "eval Percent..." so I can compare "Percent" today vs lastweek, in the above "Series".
count(STATUS) AS total, count(eval(STATUS="ACCEPTED")) AS Accepted
eval Percent=((Accepted/total)*100)

I tried timewrap, but while that is nice, it is a super slow process and only compares a 24h "moving window"

I tried doing things like:
| timechart span=5m count(STATUS) AS total, count(eval(STATUS="ACCEPTED")) AS Accepted by Series

|eval Percent=((Accepted/total)*100)

and a few other combinations but none seemed to work.
Any help would be appreciated!

Tags (1)
0 Karma
Reply

mtrochym
Observer
‎02-27-2017 04:37 PM

Hmm. I think I see where you're going with this but I tried this and unfortunately it did not work. The search took about 45min to run and didn't return any results.

0 Karma
Reply

somesoni2
Revered Legend
‎02-23-2017 08:08 AM

Give this a try

index="offers" STATUS="*" earliest=-7d@d 
| eval StartTime=relative_time(now(), "@d") 
| eval Series=case(
_time >=StartTime, "today",
_time <= relative_time(now(), "-6d@d"), "LastWk") 
| where isnotnull(Series)
| eval _time=if(Series="LastWk",_time+(86400*7),_time)
| bucket span=5m  _time
| chart count(STATUS) AS total, count(eval(STATUS="ACCEPTED")) AS Accepted by _time Series
| eval 'Percent: Today'=(('Accepted: Today'/'total: Today')*100)
| eval 'Percent: LastWk'=(('Accepted: LastWk'/'total: LastWk')*100)
| eval Time = strftime(_time, "%H:%M") | fields -_time
| table Time Percent* *
0 Karma
Reply

jamojamil
New Member
‎02-27-2017 05:17 PM

yesssss great

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...