Dashboards & Visualizations
Highlighted

How to display percentage of total events that have a field value greater than X, as single dashboard value?

Explorer

I have a dashboard and want to add a single value panel that shows the number of events with a value for "time_taken" > 10000ms, as a percentage of a total number of events in the selected time period.

In my case, the events being searched are just basic events that have a field "time_taken" with numeric values.

What I tried to do is below, based on an example I found:

sourcetype=iis 
cs_uri_stem="/SeverA*"
| eval myfield=case(time_taken > 10000, "Greater", time_taken <= 10000, "LessThan")
| timechart count by myfield
| eval total=Greater+LessThan
| eval PercentageGreater=Greater*100/total
| fields _time PercentageGreater

This seems to give the data I need. However, I don't want to slice it by time. Even if I remove time from the "fields" expression, it still displays a chart with one row per a time 10 seconds. I just want the percentage from the total timetaken across whatever time period I've selected on my dashboard. In other words, I just want a single value.

I'm guessing using "timechart" is not what I want, but I'm not sure how else to approach this. I tried just "chart" when testing the query, but then there is nothing shown on the Statistics tab in the results.

Ultimately, I want to add it as a single value in a dashboard, something like the following, so once I get the correct basic query, I think I need to end it with something to grab that final value and display. So, if Time Period selection in the dashboard is one hour, there are 100 events, and if 10 of those have time_taken > 10000, I just want to display the single value "10%".

  <row>
    <panel>
      <single>
        <title>Response Time - Percentage > 10s</title>
        <search>
          <query>
VALID QUERY HERE
         </query>
          <earliest>$TimePeriod.earliest$</earliest>
          <latest>$TimePeriod.latest$</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
      </single>
    </panel>
  </row>
0 Karma
Highlighted

Re: How to display percentage of total events that have a field value greater than X, as single dashboard value?

Explorer

After submitting this, I found this question: https://answers.splunk.com/answers/664384/show-the-a-particular-percentage-using-single-valu.html. So, my question may be a duplicate. However, the answer in that post is so complicated, I can't tell for sure just by reading it if it would solve my problem or not. In any case, I am hoping for a much simpler solution. (It seems like this should be an easy one to solve.)

0 Karma
Highlighted

Re: How to display percentage of total events that have a field value greater than X, as single dashboard value?

Contributor
 sourcetype=iis 
 cs_uri_stem="/SeverA*"
 | eval myfield=case(time_taken > 10000, "Greater", time_taken <= 10000, "LessThan")
 | chart count by myfield
 | eventstats sum(count) as total
 | eval percentage = ((count/total)*100)
 | eval percentage =percentage ."%"
 | search myfield=Greater
 | table percentage

Hope this helps, let me know if you have any questions, thanks!

0 Karma
Highlighted

Re: How to display percentage of total events that have a field value greater than X, as single dashboard value?

SplunkTrust
SplunkTrust

Give this a try

sourcetype=iis  cs_uri_stem="/SeverA*"
 | eval greater=if(time_taken > 10000, 1,0)
 | stats count as total sum(greater) as Greater
 | eval PercentageGreater=Greater*100/total
 | table PercentageGreater

View solution in original post

Highlighted

Re: How to display percentage of total events that have a field value greater than X, as single dashboard value?

Explorer

Thanks @somesoni2! This worked perfectly. "I wasn't sure if last item - "table PercentageGreater" - would work in the "single" element in the dashboard, but it did."

0 Karma
Highlighted

Re: How to display percentage of total events that have a field value greater than X, as single dashboard value?

Esteemed Legend

First of all, fix your query; here is a run anywhere example:

index=_* 
| eval time_taken = date_second * 700

| eval myfield=if(time_taken > 10000, "GreaterThan", "LessThan") 
| timechart count by myfield 
| eval PercentageGreater = 100 * GreaterThan / (GreaterThan + LessThan) 
| table _time PercentageGreater

Second, make sure that you are using the proper visualization, you should be using the one called Single Value (that shows a trendline and a vector).

0 Karma