I have a dashboard and want to add a single value panel that shows the number of events with a value for "time_taken" > 10000ms, as a percentage of a total number of events in the selected time period.
In my case, the events being searched are just basic events that have a field "time_taken" with numeric values.
What I tried to do is below, based on an example I found:
sourcetype=iis cs_uri_stem="/SeverA*" | eval myfield=case(time_taken > 10000, "Greater", time_taken <= 10000, "LessThan") | timechart count by myfield | eval total=Greater+LessThan | eval PercentageGreater=Greater*100/total | fields _time PercentageGreater
This seems to give the data I need. However, I don't want to slice it by time. Even if I remove time from the "fields" expression, it still displays a chart with one row per a time 10 seconds. I just want the percentage from the total timetaken across whatever time period I've selected on my dashboard. In other words, I just want a single value.
I'm guessing using "timechart" is not what I want, but I'm not sure how else to approach this. I tried just "chart" when testing the query, but then there is nothing shown on the Statistics tab in the results.
Ultimately, I want to add it as a single value in a dashboard, something like the following, so once I get the correct basic query, I think I need to end it with something to grab that final value and display. So, if Time Period selection in the dashboard is one hour, there are 100 events, and if 10 of those have time_taken > 10000, I just want to display the single value "10%".
<row> <panel> <single> <title>Response Time - Percentage > 10s</title> <search> <query> VALID QUERY HERE </query> <earliest>$TimePeriod.earliest$</earliest> <latest>$TimePeriod.latest$</latest> <refresh>10m</refresh> <refreshType>delay</refreshType> </search> </single> </panel> </row>
After submitting this, I found this question: https://answers.splunk.com/answers/664384/show-the-a-particular-percentage-using-single-valu.html. So, my question may be a duplicate. However, the answer in that post is so complicated, I can't tell for sure just by reading it if it would solve my problem or not. In any case, I am hoping for a much simpler solution. (It seems like this should be an easy one to solve.)
sourcetype=iis cs_uri_stem="/SeverA*" | eval myfield=case(time_taken > 10000, "Greater", time_taken <= 10000, "LessThan") | chart count by myfield | eventstats sum(count) as total | eval percentage = ((count/total)*100) | eval percentage =percentage ."%" | search myfield=Greater | table percentage
Hope this helps, let me know if you have any questions, thanks!
Give this a try
sourcetype=iis cs_uri_stem="/SeverA*" | eval greater=if(time_taken > 10000, 1,0) | stats count as total sum(greater) as Greater | eval PercentageGreater=Greater*100/total | table PercentageGreater
Thanks @somesoni2! This worked perfectly. "I wasn't sure if last item - "table PercentageGreater" - would work in the "single" element in the dashboard, but it did."
First of all, fix your query; here is a run anywhere example:
index=_* | eval time_taken = date_second * 700 | eval myfield=if(time_taken > 10000, "GreaterThan", "LessThan") | timechart count by myfield | eval PercentageGreater = 100 * GreaterThan / (GreaterThan + LessThan) | table _time PercentageGreater
Second, make sure that you are using the proper visualization, you should be using the one called
Single Value (that shows a trendline and a vector).