Splunk Enterprise

Measuring a rate with pie chart counts and percentages

jamesandy51
Explorer

Hi,

I'm trying to measure a rate of several different computers. The rate is measured from 0 to 100 and I want to know the distribution in performance over time. I would like a pie chart of the rates by percentages, as well as by count Here is my query:

index=computers
| eventstats perc10(rate) AS 10p
| eventstats perc25(rate) AS 25pl
| eventstats perc50(rate) AS 50p
| eventstats perc75(rate) AS 75p
| eval ranking=case( rate <=10p_fill, 10, rate <=25p_fill, 25, rate <=50p_fill, 50, rate <=75p_fill, 75, 1=1,1 )
| stats count by ranking | sort + ranking

I am getting an "error in eval command, expression malformed, expected ). error. Can you please explain why and also if I am going about this the right way?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jamesandy51 ,

In the arithmetic comparison, you are using strings '10p_fill` and also the eventstats can be combined.
Try this and test if you are geting the expected output

index=computers | eventstats perc10(rate) AS 10,perc25(rate) AS 25,perc50(rate) AS 50,perc75(rate) AS 75
| eval ranking=case( rate <=10, 10, rate <=25, 25, rate <=50, 50, rate <=75, 75, 1=1,1 )
| stats count by ranking | sort + ranking
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.