Dashboards & Visualizations

Find interval sums of a field and display it in a chart

Path Finder

I currently have a query like this:

| eventstats sum(total_dates_correct) as TOTAL_CORRECT | eventstats sum(total_datetypes) as TOTAL | eval TOTAL_ACCURACY = (TOTAL_CORRECT / TOTAL) * 100 | table _time TOTAL_ACCURACY | timechart avg(TOTAL_ACCURACY)

I would like to have it so that if the person selects a date range of 2019 for example, and a date interval of 1 month, then the TOTAL_ACCURACY above would be calculated individually for the events that lie within that month.

So for example:
Date range: 2019
Date interval: 1 month

January 2019 TOTAL_ACCURACY: 20% (Calculated using 100 logs from January)
February 2019 TOTAL_ACCURACY: 80% (Calculated using 10 logs from February)
March 2019 ...

I guess it would be similar to setting the date range for a query to be from January 2019 to February 2019, saving that in a field, then February 2019 to March 2019, saving that in another field, etc. and then outputting it all on the same graph.

Ideally, I would create a dropdown input on the dashboard so that the user can choose the date interval (haven't looked into how this works yet)

How would I do this?


Tags (1)
0 Karma

Esteemed Legend

You are correct. Use the standard Time picker and a custom dropdown field called interval pre-populated with values like {1s, 1m, 1h, 1d, 1month, 1y}. Then your search would look like this:

... | bin _time span=$span_token$
| stats sum(total_dates_correct) AS TOTAL_CORRECT sum(total_datetypes) AS TOTAL BY _time
| timechart span=$span_token$ avg(TOTAL_ACCURACY) AS TOTAL_ACCURACY
0 Karma


you should consider using the bucket command. you'll have to configure your input to feed the appropriate span to bucket

For example

|bucket span=1mon _time
| eventstats sum(total_dates_correct) as TOTAL_CORRECT by _time
| eventstats sum(total_datetypes) as TOTAL  by _time
| table _time TOTAL_ACCURACY 
| timechart avg(TOTAL_ACCURACY)
0 Karma
Get Updates on the Splunk Community!

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...