Dashboards & Visualizations

Can I easily set up a chart that displays the results for relative timespans based on the selected dropdown value?

Explorer

I have a Splunk query that generates one value based on what's selected in the time span drop down. I want to generate a chart that would be the equivalent of running this query multiple times with "today," "yesterday," ... all the way back to 30 days ago selected in the drop down, with a separate bar in the chart for each day in the past month. Is there a simple way to do this?

Thanks,
Jonathan

0 Karma
1 Solution

Super Champion

Can you try something like this:

index=my_index "abc" OR "def"
|bucket _time span=1d
|eval ATTEMPTED_ORDERS=if(like(_raw,"%abc%"),1,0)
|eval SUCCESSFUL_ORDERS=if(like(_raw,"%def%",1,0)
| stats sum(ATTEMPTED_ORDERS) as ATTEMPTED_ORDERS sum(SUCCESSFUL_ORDERS) as SUCCESSFUL_ORDERS by _time
| eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE _time PERCENT_SUCCESSFUL

View solution in original post

0 Karma

Esteemed Legend

Like this:

    <search>
      <query>your search here | timechart span=1d count(eval(searchmatch("abc")) AS ATTEMPTED_ORDERS count(eval(searchmatch("def")) AS UNSUCCESSFUL_ORDERS | eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | table _time PERCENT_SUCCESSFUL </query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.earliest$-30d@d</latest>
    </search>
0 Karma

Super Champion

Can you try something like this:

index=my_index "abc" OR "def"
|bucket _time span=1d
|eval ATTEMPTED_ORDERS=if(like(_raw,"%abc%"),1,0)
|eval SUCCESSFUL_ORDERS=if(like(_raw,"%def%",1,0)
| stats sum(ATTEMPTED_ORDERS) as ATTEMPTED_ORDERS sum(SUCCESSFUL_ORDERS) as SUCCESSFUL_ORDERS by _time
| eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE _time PERCENT_SUCCESSFUL

View solution in original post

0 Karma

Explorer

This worked for me. Thanks!

0 Karma

SplunkTrust
SplunkTrust

For a simple search index=_internal | stats count, it can be done with index=_internal | bucket span=1d _time | stats count by _time. (adding _time into mix with span as 1d). If you can share your query, we can suggest the same transformation for your search.

Explorer

Here is the query:

index=myindex "abc" | STATS COUNT AS ATTEMPTEDORDERS | appendcols [search index=myindex "def" | STATS COUNT AS SUCCESSFULORDERS] | eval UNSUCCESSFULORDERS = ATTEMPTEDORDERS - SUCCESSFULORDERS |
eval PERCENT
SUCCESSFUL = (SUCCESSFULORDERS/ATTEMPTEDORDERS) * 100 | TABLE PERCENT_SUCCESSFUL

0 Karma