Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using distinct count and eval in timechart (area chart)

Jurala
Explorer
‎08-17-2017 12:12 AM

To begin with, I'm a beginner in world of Splunk. I'm trying to create an area chart where I could track how many users are using the application, how many have completed the application (reached page 6) and how many users are using formManager. In query I've stated that if the user reaches page six, which is the last page of the application, the form is saved to formManager thus adding the user as formManager user. I'm using all three counts successfully as a single value panel in my dashboard but I would like to visualize it in a graph.

dc(user_id) as applicationUsers and count(eval(page_logging=6)) as completedForms works like a charm but dc(eval(page_logging=6)) as formManagerUsers returns only zero or one per hour in my area chart.

I'm using following query as single value to track formManager users:

index=prod sourcetype=application page_logging=6 | stats dc(user_id)

Here's my query for area chart:

index=prod sourcetype=application | timechart span=1h dc(user_id) as applicationUsers, count(eval(page_logging=6)) as completedForms, dc(eval(page_logging=6)) as formManagerUsers
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-17-2017 08:38 AM

The last calculation, and the results on it, make no sense to me.

eval(page_logging=6) has three possible values for any given record {null, true, false}. Null is not a value that dc counts, so for that formula, dc can only give 0, 1 or 2, and I'd expect it to vary between 1 and 2, mostly 2, if the field page_logging is usually present and if people commonly drop out and also people commonly finish. So, I'd go back and check your assumptions based on common sense expectations for the data.

You are really looking, I believe, for dc(user_id) where page_logging=6. I think my preference, as the most straightforward approach, would be preprocessing, but let me see if I can tease this out to code it your way...

It will be something like...

 dc(eval(if(page_logging=6,user_id,null()))) as formManagerUsers

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-17-2017 08:38 AM

The last calculation, and the results on it, make no sense to me.

eval(page_logging=6) has three possible values for any given record {null, true, false}. Null is not a value that dc counts, so for that formula, dc can only give 0, 1 or 2, and I'd expect it to vary between 1 and 2, mostly 2, if the field page_logging is usually present and if people commonly drop out and also people commonly finish. So, I'd go back and check your assumptions based on common sense expectations for the data.

You are really looking, I believe, for dc(user_id) where page_logging=6. I think my preference, as the most straightforward approach, would be preprocessing, but let me see if I can tease this out to code it your way...

It will be something like...

 dc(eval(if(page_logging=6,user_id,null()))) as formManagerUsers
Reply
Solved! Jump to solution

Jurala
Explorer
‎08-21-2017 10:58 PM

Thanks! Works as expected.

Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
Top