Splunk Dev
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a chart or table that shows results for multiply sourcetypes.

mrtolu6
Path Finder
‎06-09-2017 08:30 AM

I want to create a chart separated by hours (24hours) and grouped by the sourcetype that shows the number of data that took more than 2 mins to be indexed (indextime-time) and converted into percent. The percent would be the total event that took over 2mins to be indexed divided by the total number of events for that hour.(for that 1 hour span). The result shold be grouped by the sourcetype

This is the basic search I'm using to calculate the events over 2mins
earliest=-24h@h latest=@h index=nameoftheindex
| eval GT2=if(_indextime-_time>=120,1,0)
| bin _time span=1h
| stats avg(GT2) as PctGT2 by _time

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-09-2017 08:52 AM 
earliest=-24h@h latest=@h index=nameoftheindex 
| eval GT2=if(_indextime-_time>=120,1,0)
| bin _time span=1h
| stats avg(GT2) as PctGT2 by _time sourcetype
| eval PctGT2=round(100*PctGT2,2)
| timechart avg(pctGT2) as pctGT2 by sourcetype

Technically, if you are going to use timechart, you wouldn't have to bin the _time and stats for the avg, since timechart will handle that in a single step.

earliest=-24h@h latest=@h index=nameoftheindex 
| eval GT2=if(_indextime-_time>=120,100,0)
| timechart span=1h avg(GT2) as pctGT2 by sourcetype

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-09-2017 08:52 AM 
earliest=-24h@h latest=@h index=nameoftheindex 
| eval GT2=if(_indextime-_time>=120,1,0)
| bin _time span=1h
| stats avg(GT2) as PctGT2 by _time sourcetype
| eval PctGT2=round(100*PctGT2,2)
| timechart avg(pctGT2) as pctGT2 by sourcetype

Technically, if you are going to use timechart, you wouldn't have to bin the _time and stats for the avg, since timechart will handle that in a single step.

earliest=-24h@h latest=@h index=nameoftheindex 
| eval GT2=if(_indextime-_time>=120,100,0)
| timechart span=1h avg(GT2) as pctGT2 by sourcetype
0 Karma
Reply
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...
Top