Hi, I am new to splunk and am trying to build one timechart.
we have the following timechart search query which is not giving the correct values in statistics but when we browse the events from the statistics the required data seems to be there.
Not able to figure out how timechart exactly works here. Query as below , request help / explanation for the behavior. Filtered for a particular bizname, I select the date range from say 00:45 to 1:30 for a particular day.
I get the wrong "Percentage" value [say 60%] for the first block [00:45 to 1:00], but when go to the events and check it comes out to be 93%. What am I doing wrong here.
index=index1 sourcetype=*XYZ*
| dedup col1, col2,col3 | search bizname="ABC"
| where completed in("Y","N")
| eval status=if(completed ="Y",100,0)
| timechart span=15m mean(status) as Percentage by bizname useother=false limit=100
| fillnull value=100
Thanks.
We figured this out. We are using dedup as we have some values which het updated in the source at different intervals.
Hence when we were selecting the window 00:45 - 1:30 the dedup would be done across this time period and hence the % would go less in the first 15 min slot as they had corresponding duplicate values in the third 15 min slot.
but when we would filter based only on the first 15 min slot it would show a higher % as there were no corresponding duplicates in this window.
So not a issue it only how the data is collected. Thanks .
The mean() function does not calculate a percentage. It's just an average of the values it's seen. Percentages have to be calculated manually using the eval command.
Thanks for the reply @richgalloway .
In this case we are using 100 for success & 0 for failure , no other values That would kind of work like a % in this case, I might be wrong.
Would you please advice how do I use calculation of % via eval in the query I am using. I have tried with count but it gives same kind of values as with mean function.
Thanks.
Yes, I suppose an average of 0's and 100's is the same as a percentage.
What data are you seeing where you are calculating the 60% figure?
For e.g. in the case mentioned if I go down to the events it shows me 93% "Y" & 7% "N" with about 104 total events for the mentioned time frame [00:45 - 01:00].
But on the statistics page we are seeing 60% "Y" and if I put a count in the timechart as below it shows a count of 14. Again if I go in the events I see 104 events. So, very much confused on how the timechart is interpreting the data.
timechart span=15m count(completed) as tot_cnt by bizname useother=false limit=100
I am confused as well. Can you share screen shots showing where you see the 60% and 93%. I suspect you may be comparing an overall figure with one for a 15-minute interval.
Thank you for your patience .This is the first screen. I have selected a time period from 00:45 to 1:30 span=15m as given in the query. I am taking example of the first entry on 00:45. The count is shown as 14 & mean of around 57%.
for the first one 00:45 if I go to the events, I see 104 events and the status count as below. [which is not same as count of 14 ]
From the statistics page if I narrow down to the 00:45 window I get expected values. So not sure what's happening here. Appreciate any insights on this.
Thanks.
Thanks for the pix. I'm afraid I still can't explain the difference. Perhaps someone else will have a suggestion.
Thank You for your time hope someone else can help.
We figured this out. We are using dedup as we have some values which het updated in the source at different intervals.
Hence when we were selecting the window 00:45 - 1:30 the dedup would be done across this time period and hence the % would go less in the first 15 min slot as they had corresponding duplicate values in the third 15 min slot.
but when we would filter based only on the first 15 min slot it would show a higher % as there were no corresponding duplicates in this window.
So not a issue it only how the data is collected. Thanks .