Hi all,
I'm monitoring compliance data for the past 7 days using timechart. My current query displays the count of "comply" and "not comply" events for each day.
index= indexA | timechart span=1d count by audit
However, I'd like to visualize this data as percentages instead. Is it possible to modify the search to display the percentage of compliant and non-compliant events on top of each bar?
Thanks in advance for your help!
If you add the following after your timechart command it will change the values from numbers to percentages
| addtotals fieldname=_Total
| foreach * [ eval <<FIELD>>=round(('<<FIELD>>'/_Total*100),2) ]
Note that the _ in front of the total field name prevents it from being displayed, then the foreach command just calculates the percentages.
Hi @bowesmana,
index="index A"
| table _time, Audit
| addtotals fieldname=Total
| foreach * [eval Audit=round (('Audit'/Total*100),2)]
above is my query that i have created based on your idea, but seems not working. Below screenshot is the result for above query.
the values not showing in percentage.
You have not done what I suggested, you have changed the SPL to something that will not work.
Please use the exact code I provided after your timechart command
Hi @KendallW,
it's not working, it just staking the value of the bar chart.