Dashboards & Visualizations

Can I easily set up a chart that displays the results for relative timespans based on the selected dropdown value?

jbrenner
Path Finder

I have a Splunk query that generates one value based on what's selected in the time span drop down. I want to generate a chart that would be the equivalent of running this query multiple times with "today," "yesterday," ... all the way back to 30 days ago selected in the drop down, with a separate bar in the chart for each day in the past month. Is there a simple way to do this?

Thanks,
Jonathan

0 Karma
1 Solution

cmerriman
Super Champion

Can you try something like this:

index=my_index "abc" OR "def"
|bucket _time span=1d
|eval ATTEMPTED_ORDERS=if(like(_raw,"%abc%"),1,0)
|eval SUCCESSFUL_ORDERS=if(like(_raw,"%def%",1,0)
| stats sum(ATTEMPTED_ORDERS) as ATTEMPTED_ORDERS sum(SUCCESSFUL_ORDERS) as SUCCESSFUL_ORDERS by _time
| eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE _time PERCENT_SUCCESSFUL

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

    <search>
      <query>your search here | timechart span=1d count(eval(searchmatch("abc")) AS ATTEMPTED_ORDERS count(eval(searchmatch("def")) AS UNSUCCESSFUL_ORDERS | eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | table _time PERCENT_SUCCESSFUL </query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.earliest$-30d@d</latest>
    </search>
0 Karma

cmerriman
Super Champion

Can you try something like this:

index=my_index "abc" OR "def"
|bucket _time span=1d
|eval ATTEMPTED_ORDERS=if(like(_raw,"%abc%"),1,0)
|eval SUCCESSFUL_ORDERS=if(like(_raw,"%def%",1,0)
| stats sum(ATTEMPTED_ORDERS) as ATTEMPTED_ORDERS sum(SUCCESSFUL_ORDERS) as SUCCESSFUL_ORDERS by _time
| eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE _time PERCENT_SUCCESSFUL
0 Karma

jbrenner
Path Finder

This worked for me. Thanks!

0 Karma

somesoni2
Revered Legend

For a simple search index=_internal | stats count, it can be done with index=_internal | bucket span=1d _time | stats count by _time. (adding _time into mix with span as 1d). If you can share your query, we can suggest the same transformation for your search.

jbrenner
Path Finder

Here is the query:

index=my_index "abc" | STATS COUNT AS ATTEMPTED_ORDERS | appendcols [search index=my_index "def" | STATS COUNT AS SUCCESSFUL_ORDERS] | eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE PERCENT_SUCCESSFUL

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...