Dashboards & Visualizations

How to combine timechart, stats, and eval?

vanheer
Explorer

Hi,

I have multiple fields like, counting how many items passing through gates:

 

 

 

| timechart count(eval(like(gate_id, "RG%") )) as items_RG, count(eval(NOT like(gate_id, "RG%") )) as all_items by building

 

 

 

 I want to exclude the counts of items_RG from the all_items, so I'm using :

 

 

 

| eval Total=all_items-items_RG

 

 

 

But it is not showing Total in the output, but when I use stats instead, I don't get the time column to show the graph as timechart.

 

 

 

| stats count(eval(like(gate_id, "RG%") )) as items_RG, count(eval(NOT like(gate_id, "RG%") )) as all_items by building
| eval Total=all_items-items_RG

 

 

 

I tried to use eventstats also couldn't get what I want.

Labels (2)
0 Karma
1 Solution

venky1544
Builder

Hi @vanheer 

|bin _time span=5m| stats count(eval(like(gate_id, "RG%") )) as items_RG, count(eval(NOT like(gate_id, "RG%") )) as all_items by _time,building
| eval Total=all_items-items_RG
|fields - all_items,items_RG |xyseries _time,building,Total

 

try to append with xyseries command it should give you the  desired result 

venky1544_0-1649928051834.png

 

if this help karma points are  appreciated /accept the solution it might help others 

View solution in original post

vanheer
Explorer

Thanks @venky1544 , almost there! now I have each building in a field,

|bin _time span=5m| stats count(eval(like(gate_id, "RG%") )) as items_RG, count(eval(NOT like(gate_id, "RG%") )) as all_items by _time,building
| eval Total=all_items-items_RG
|fields - all_items,items_RG
_timebuildingTotal
2022-04-13 17:20:00GT0124
2022-04-13 17:20:00GT0213
2022-04-13 17:20:00GT0329
2022-04-13 17:25:00GT0164
2022-04-13 17:25:00GT0252
2022-04-13 17:25:00GT0394

 

I need each building in a separate field to stack them in the graph.

_timeGT01GT02GT03Total
2022-04-13 17:20:00241329=24+13+29
2022-04-13 17:25:00645294=64+52+94
0 Karma

venky1544
Builder

Hi @vanheer 

|bin _time span=5m| stats count(eval(like(gate_id, "RG%") )) as items_RG, count(eval(NOT like(gate_id, "RG%") )) as all_items by _time,building
| eval Total=all_items-items_RG
|fields - all_items,items_RG |xyseries _time,building,Total

 

try to append with xyseries command it should give you the  desired result 

venky1544_0-1649928051834.png

 

if this help karma points are  appreciated /accept the solution it might help others 

vanheer
Explorer

@venky1544 Thank you very much, I haven't used xyseries before.

One more optional question 😀:
I've created a manual dropdown span interval, but can we keep it automated as in timechart?

0 Karma

venky1544
Builder

Hi @vanheer 

try the below

|bin _time span=5m| stats count(eval(like(gate_id, "RG%") )) as items_RG, count(eval(NOT like(gate_id, "RG%") )) as all_items by _time,building
| eval Total=all_items-items_RG

 

if it helps karma points are appreciated  

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...