If I wanted to take the perc of each action and display it in a single value panel on a dashboard, how would I go about doing so?
base search | stats count by action | eventstats sum(count) as perc | eval perc=round(count*100/perc,2)
Results:
action count perc
action1 12 25
action2 12 25
action3 12 25
action4 12 25
Best (performance wise) option would to use post process in the dashboard. This will avoid running 4 searches. Try something like this for your dashboard xml. See this for more details http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Savedsearches#Post-process_searches.
<search id="xyz">
<query>base search | stats count by action | eventstats sum(count) as perc | eval perc=round(count*100/perc,2)</query>
<earliest>...
.....</latest>
</search>
<!-- post processing reference -->
<single>
<search base="xyz">
<query> where action="action1" | table perc</query>
</search>
</single>
<single>
<search base="xyz">
<query> where action="action2" | table perc</query>
</search>
</single>
<single>
<search base="xyz">
<query> where action="action3" | table perc</query>
</search>
</single>
<single>
<search base="xyz">
<query> where action="action4" | table perc</query>
</search>
</single>
Best (performance wise) option would to use post process in the dashboard. This will avoid running 4 searches. Try something like this for your dashboard xml. See this for more details http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Savedsearches#Post-process_searches.
<search id="xyz">
<query>base search | stats count by action | eventstats sum(count) as perc | eval perc=round(count*100/perc,2)</query>
<earliest>...
.....</latest>
</search>
<!-- post processing reference -->
<single>
<search base="xyz">
<query> where action="action1" | table perc</query>
</search>
</single>
<single>
<search base="xyz">
<query> where action="action2" | table perc</query>
</search>
</single>
<single>
<search base="xyz">
<query> where action="action3" | table perc</query>
</search>
</single>
<single>
<search base="xyz">
<query> where action="action4" | table perc</query>
</search>
</single>
interesting. i never tonight about doing this.
Do this for each action/panel
base search | stats count by action | eventstats sum(count) as perc | eval perc=round(count*100/perc,2) | where action=action1 | fields perc
...etc