Dashboards & Visualizations

How to display percentage of total events that have a field value greater than X, as single dashboard value?

marnee
Explorer

I have a dashboard and want to add a single value panel that shows the number of events with a value for "time_taken" > 10000ms, as a percentage of a total number of events in the selected time period.

In my case, the events being searched are just basic events that have a field "time_taken" with numeric values.

What I tried to do is below, based on an example I found:

sourcetype=iis 
cs_uri_stem="/SeverA*"
| eval myfield=case(time_taken > 10000, "Greater", time_taken <= 10000, "LessThan")
| timechart count by myfield
| eval total=Greater+LessThan
| eval PercentageGreater=Greater*100/total
| fields _time PercentageGreater

This seems to give the data I need. However, I don't want to slice it by time. Even if I remove _time from the "fields" expression, it still displays a chart with one row per a time 10 seconds. I just want the percentage from the total time_taken across whatever time period I've selected on my dashboard. In other words, I just want a single value.

I'm guessing using "timechart" is not what I want, but I'm not sure how else to approach this. I tried just "chart" when testing the query, but then there is nothing shown on the Statistics tab in the results.

Ultimately, I want to add it as a single value in a dashboard, something like the following, so once I get the correct basic query, I think I need to end it with something to grab that final value and display. So, if Time Period selection in the dashboard is one hour, there are 100 events, and if 10 of those have time_taken > 10000, I just want to display the single value "10%".

  <row>
    <panel>
      <single>
        <title>Response Time - Percentage > 10s</title>
        <search>
          <query>
VALID QUERY HERE
         </query>
          <earliest>$TimePeriod.earliest$</earliest>
          <latest>$TimePeriod.latest$</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
      </single>
    </panel>
  </row>
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

sourcetype=iis  cs_uri_stem="/SeverA*"
 | eval greater=if(time_taken > 10000, 1,0)
 | stats count as total sum(greater) as Greater
 | eval PercentageGreater=Greater*100/total
 | table PercentageGreater

View solution in original post

woodcock
Esteemed Legend

First of all, fix your query; here is a run anywhere example:

index=_* 
| eval time_taken = date_second * 700

| eval myfield=if(time_taken > 10000, "GreaterThan", "LessThan") 
| timechart count by myfield 
| eval PercentageGreater = 100 * GreaterThan / (GreaterThan + LessThan) 
| table _time PercentageGreater

Second, make sure that you are using the proper visualization, you should be using the one called Single Value (that shows a trendline and a vector).

0 Karma

somesoni2
Revered Legend

Give this a try

sourcetype=iis  cs_uri_stem="/SeverA*"
 | eval greater=if(time_taken > 10000, 1,0)
 | stats count as total sum(greater) as Greater
 | eval PercentageGreater=Greater*100/total
 | table PercentageGreater

marnee
Explorer

Thanks @somesoni2! This worked perfectly. "I wasn't sure if last item - "table PercentageGreater" - would work in the "single" element in the dashboard, but it did."

0 Karma

sandeepmakkena
Contributor
 sourcetype=iis 
 cs_uri_stem="/SeverA*"
 | eval myfield=case(time_taken > 10000, "Greater", time_taken <= 10000, "LessThan")
 | chart count by myfield
 | eventstats sum(count) as total
 | eval percentage = ((count/total)*100)
 | eval percentage =percentage ."%"
 | search myfield=Greater
 | table percentage

Hope this helps, let me know if you have any questions, thanks!

0 Karma

marnee
Explorer

After submitting this, I found this question: https://answers.splunk.com/answers/664384/show-the-a-particular-percentage-using-single-valu.html. So, my question may be a duplicate. However, the answer in that post is so complicated, I can't tell for sure just by reading it if it would solve my problem or not. In any case, I am hoping for a much simpler solution. (It seems like this should be an easy one to solve.)

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...