Dashboards & Visualizations

Can I easily set up a chart that displays the results for relative timespans based on the selected dropdown value?

jbrenner
Path Finder

I have a Splunk query that generates one value based on what's selected in the time span drop down. I want to generate a chart that would be the equivalent of running this query multiple times with "today," "yesterday," ... all the way back to 30 days ago selected in the drop down, with a separate bar in the chart for each day in the past month. Is there a simple way to do this?

Thanks,
Jonathan

0 Karma
1 Solution

cmerriman
Super Champion

Can you try something like this:

index=my_index "abc" OR "def"
|bucket _time span=1d
|eval ATTEMPTED_ORDERS=if(like(_raw,"%abc%"),1,0)
|eval SUCCESSFUL_ORDERS=if(like(_raw,"%def%",1,0)
| stats sum(ATTEMPTED_ORDERS) as ATTEMPTED_ORDERS sum(SUCCESSFUL_ORDERS) as SUCCESSFUL_ORDERS by _time
| eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE _time PERCENT_SUCCESSFUL

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

    <search>
      <query>your search here | timechart span=1d count(eval(searchmatch("abc")) AS ATTEMPTED_ORDERS count(eval(searchmatch("def")) AS UNSUCCESSFUL_ORDERS | eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | table _time PERCENT_SUCCESSFUL </query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.earliest$-30d@d</latest>
    </search>
0 Karma

cmerriman
Super Champion

Can you try something like this:

index=my_index "abc" OR "def"
|bucket _time span=1d
|eval ATTEMPTED_ORDERS=if(like(_raw,"%abc%"),1,0)
|eval SUCCESSFUL_ORDERS=if(like(_raw,"%def%",1,0)
| stats sum(ATTEMPTED_ORDERS) as ATTEMPTED_ORDERS sum(SUCCESSFUL_ORDERS) as SUCCESSFUL_ORDERS by _time
| eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE _time PERCENT_SUCCESSFUL
0 Karma

jbrenner
Path Finder

This worked for me. Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

For a simple search index=_internal | stats count, it can be done with index=_internal | bucket span=1d _time | stats count by _time. (adding _time into mix with span as 1d). If you can share your query, we can suggest the same transformation for your search.

jbrenner
Path Finder

Here is the query:

index=my_index "abc" | STATS COUNT AS ATTEMPTED_ORDERS | appendcols [search index=my_index "def" | STATS COUNT AS SUCCESSFUL_ORDERS] | eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE PERCENT_SUCCESSFUL

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...