Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Find interval sums of a field and display it in a chart

ruhtraeel
Path Finder
‎10-22-2019 03:52 PM

Hello,
I currently have a query like this: 

| eventstats sum(total_dates_correct) as TOTAL_CORRECT | eventstats sum(total_datetypes) as TOTAL | eval TOTAL_ACCURACY = (TOTAL_CORRECT / TOTAL) * 100 | table _time TOTAL_ACCURACY | timechart avg(TOTAL_ACCURACY)

I would like to have it so that if the person selects a date range of 2019 for example, and a date interval of 1 month, then the TOTAL_ACCURACY above would be calculated individually for the events that lie within that month.

So for example:
Date range: 2019
Date interval: 1 month

January 2019 TOTAL_ACCURACY: 20% (Calculated using 100 logs from January)
February 2019 TOTAL_ACCURACY: 80% (Calculated using 10 logs from February)
March 2019 ...
etc

I guess it would be similar to setting the date range for a query to be from January 2019 to February 2019, saving that in a field, then February 2019 to March 2019, saving that in another field, etc. and then outputting it all on the same graph.

Ideally, I would create a dropdown input on the dashboard so that the user can choose the date interval (haven't looked into how this works yet)

How would I do this?

Thanks

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎10-27-2019 06:54 PM

You are correct. Use the standard Time picker and a custom dropdown field called interval pre-populated with values like {1s, 1m, 1h, 1d, 1month, 1y}. Then your search would look like this:

... | bin _time span=$span_token$
| stats sum(total_dates_correct) AS TOTAL_CORRECT sum(total_datetypes) AS TOTAL BY _time
| eval TOTAL_ACCURACY = 100 * (TOTAL_CORRECT / TOTAL)
| timechart span=$span_token$ avg(TOTAL_ACCURACY) AS TOTAL_ACCURACY
0 Karma
Reply

arjunpkishore5
Motivator
‎10-26-2019 08:19 PM

you should consider using the bucket command. you'll have to configure your input to feed the appropriate span to bucket

For example

|bucket span=1mon _time
| eventstats sum(total_dates_correct) as TOTAL_CORRECT by _time
| eventstats sum(total_datetypes) as TOTAL  by _time
| eval TOTAL_ACCURACY = (TOTAL_CORRECT / TOTAL) * 100 
| table _time TOTAL_ACCURACY 
| timechart avg(TOTAL_ACCURACY)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...