Splunk Enterprise

Measuring a rate with pie chart counts and percentages

Explorer

Hi,

I'm trying to measure a rate of several different computers. The rate is measured from 0 to 100 and I want to know the distribution in performance over time. I would like a pie chart of the rates by percentages, as well as by count Here is my query:

index=computers
| eventstats perc10(rate) AS 10p
| eventstats perc25(rate) AS 25pl
| eventstats perc50(rate) AS 50p
| eventstats perc75(rate) AS 75p
| eval ranking=case( rate <=10pfill, 10, rate <=25pfill, 25, rate <=50pfill, 50, rate <=75pfill, 75, 1=1,1 )
| stats count by ranking | sort + ranking

I am getting an "error in eval command, expression malformed, expected ). error. Can you please explain why and also if I am going about this the right way?

0 Karma

SplunkTrust
SplunkTrust

@jamesandy51 ,

In the arithmetic comparison, you are using strings '10p_fill` and also the eventstats can be combined.
Try this and test if you are geting the expected output

index=computers | eventstats perc10(rate) AS 10,perc25(rate) AS 25,perc50(rate) AS 50,perc75(rate) AS 75
| eval ranking=case( rate <=10, 10, rate <=25, 25, rate <=50, 50, rate <=75, 75, 1=1,1 )
| stats count by ranking | sort + ranking
0 Karma