Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to show a timechart of a ratio of two sums?

bmezhibovskiy
Observer
‎04-19-2021 09:55 AM

I have this search query:

 

base search
| eval error = if(type="error",1,0)
| eval pageView = if(type="pageView",1,0)
| timechart sum(error)/sum(pageView) as ratio

 


But ratio doesn't work. Is there a way to see that ratio?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2021 01:54 PM 
base search
| eval error = if(type="error",1,0)
| eval pageView = if(type="pageView",1,0)
| bin _time span=1h
| stats sum(error) as errorSum sum(pageView) as pageViewSum by _time
| eval ratio=errorSum / pageViewSum 
| timechart values(ratio) as ratio

Pick an appropriate span

0 Karma
Reply

manjunathmeti
Champion
‎04-19-2021 11:46 AM

hi @bmezhibovskiy,

You can calculate the ratios after the counting.

| bin span=30m _time 
| chart count(eval(type="error")) as error, count(eval(type="pageView")) as pageView by _time 
| eval ratio=error/pageView
0 Karma
Reply

bmezhibovskiy
Observer
‎04-19-2021 01:38 PM

This works, but it shows 3 graphs, which makes the graph useless since the ratio is between 0 and 1, and there are thousands of events. How do I only show a graph of the ratio?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-19-2021 04:13 PM

Just remove the fields error and pageView with this at the end

| fields - error pageView

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-19-2021 11:40 AM

"doesn't work" is not a good problem description.

Part of the problem is the timechart command cannot do math like the query is trying to do.  Try doing the math in an eval statement before timechart.

base search
| eval error = if(type="error",1,0)
| eval pageView = if(type="pageView",1,0)
| eval ratio = round(error/pageView,3)
| timechart max(ratio) as ratio
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bmezhibovskiy
Observer
‎04-19-2021 01:34 PM

That doesn't quite work. To be clear, this is a ratio of event counts.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...