Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Find interval sums of a field and display it in a chart

ruhtraeel
Path Finder
‎10-22-2019 03:52 PM

Hello,
I currently have a query like this: 

| eventstats sum(total_dates_correct) as TOTAL_CORRECT | eventstats sum(total_datetypes) as TOTAL | eval TOTAL_ACCURACY = (TOTAL_CORRECT / TOTAL) * 100 | table _time TOTAL_ACCURACY | timechart avg(TOTAL_ACCURACY)

I would like to have it so that if the person selects a date range of 2019 for example, and a date interval of 1 month, then the TOTAL_ACCURACY above would be calculated individually for the events that lie within that month.

So for example:
Date range: 2019
Date interval: 1 month

January 2019 TOTAL_ACCURACY: 20% (Calculated using 100 logs from January)
February 2019 TOTAL_ACCURACY: 80% (Calculated using 10 logs from February)
March 2019 ...
etc

I guess it would be similar to setting the date range for a query to be from January 2019 to February 2019, saving that in a field, then February 2019 to March 2019, saving that in another field, etc. and then outputting it all on the same graph.

Ideally, I would create a dropdown input on the dashboard so that the user can choose the date interval (haven't looked into how this works yet)

How would I do this?

Thanks

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎10-27-2019 06:54 PM

You are correct. Use the standard Time picker and a custom dropdown field called interval pre-populated with values like {1s, 1m, 1h, 1d, 1month, 1y}. Then your search would look like this:

... | bin _time span=$span_token$
| stats sum(total_dates_correct) AS TOTAL_CORRECT sum(total_datetypes) AS TOTAL BY _time
| eval TOTAL_ACCURACY = 100 * (TOTAL_CORRECT / TOTAL)
| timechart span=$span_token$ avg(TOTAL_ACCURACY) AS TOTAL_ACCURACY
0 Karma
Reply

arjunpkishore5
Motivator
‎10-26-2019 08:19 PM

you should consider using the bucket command. you'll have to configure your input to feed the appropriate span to bucket

For example

|bucket span=1mon _time
| eventstats sum(total_dates_correct) as TOTAL_CORRECT by _time
| eventstats sum(total_datetypes) as TOTAL  by _time
| eval TOTAL_ACCURACY = (TOTAL_CORRECT / TOTAL) * 100 
| table _time TOTAL_ACCURACY 
| timechart avg(TOTAL_ACCURACY)
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...