source =/opt/data/splunkLogs/order_transaction.log | eval TotalOrders=if(match(OrderStatus,"In Progress"),count,0) | eval CompOrders=if(match(OrderStatus,"Complete"),count,0) | eval ErrOrders=if(match(OrderStatus,"In Error"),count,0) | eval InProgOrders=(TotalOrders - CompOrders - ErrOrders)
I want to calculate these values from the events:
Total Orders = All orders with In progress status.
Complete Orders = All orders with Complete status.
Orders in Error = All orders with In Error status.
Inpogress Orders = TotalOrders - CompleteOrders - InErrorOrders
Hi rajendra_b,
use either eval TotalOrders=if(match(OrderStatus,"In Progress"),count,"0")
or eval TotalOrders=if(match(OrderStatus,"In Progress"),count,null())
Hope this helps ...
cheers, MuS
Hi rajendra_b,
use either eval TotalOrders=if(match(OrderStatus,"In Progress"),count,"0")
or eval TotalOrders=if(match(OrderStatus,"In Progress"),count,null())
Hope this helps ...
cheers, MuS
Thanks for responding. I modified it like below and it works now. However when I use this in Pie chart the values are only displayed when you hover the mouse on it, I want it to display on the panel as well. How can we do that.
source =/opt/data/splunkLogs/order_transaction.log | dedup OrderId | stats count(eval(OrderStatus="In Progress")) AS InProgOrders, count(eval(OrderStatus="Complete")) AS CompOrders, count(eval(OrderStatus="In Error")) AS ErrOrders | eval TotalOrders=(InProgOrders + CompOrders + ErrOrders) | table TotalOrders, CompOrders, InProgOrders, ErrOrders
Hi, this is indeed possible if you use some tricks 😉
Take a look at this answer or at this app
cheers, MuS
Thanks a lot for the suggestions. The Percentage is being displayed, however the count is not. I am trying different ways to render the count. Here is my query just in case.
source =/opt/data/splunkLogs/order_transaction.log | dedup OrderId | stats count(eval(OrderStatus="In Progress")) AS InProgress, count(eval(OrderStatus="Complete")) AS Complete, count(eval(OrderStatus="In Error")) AS Error | transpose
Finally this works. Thank you all for the help. This displays the count as well.
source =/opt/data/splunkLogs/order_transaction.log | dedup OrderId | top OrderStatus | eval OrderStatus=OrderStatus." :".count
Used this to display percentage in the XML as provided earlier.
<option name="charting.chart.showPercent">true</option>
You can only show percentages along with labels but not the counts
<option name="charting.chart.showPercent">true</option>
Thanks a lot for the help Ramdaspr. The Percentage works.