Splunk Search

Calculating percentage and placing in a radial gauge

ronmurphy
New Member

I am trying to a radial gauge to report a percentage. I've built my search and the field that I want to report on has 4 different values.

I have my basic search and then the following:

| stats count by myfield | gauge count by myfield=normal*

which gives me a gauge value of 4 but that only reflect the total different values of the field "severity".

I've tried to place an eval but it doesn't take

| stats count myfield1 as (search severity=normal) 
| stats count myfield2 as (search severity="*") 
| eval myfield=100*(myfield1/myfield2) 
| gauge myfield 
Tags (1)
0 Karma

jwch
Explorer

I used something like this:

search
| dedup ID
| eval breached = if(SLA = "Breached", 1, 0)
| eval active = if(SLA = "Active", 1, 0)
| eval met = if(SLA = "Met", 1, 0)
| eval total = 1
| stats sum(breached) AS sum_breached, sum(active) AS sum_active, sum(met) AS sum_met, sum(total) AS sum_total
| eval perc_breached=((sum_breached/sum_total)*100)
| eval perc_active=((sum_active/sum_total)*100)
| eval perc_met=((sum_met/sum_total)*100)
| gauge perc_met

0 Karma

ronmurphy
New Member

This really helps. Now what I'm trying to do is timechart these percentages, however the timechart function only seems to work on registered fields.

0 Karma

_d_
Splunk Employee
Splunk Employee

Something like this should work:

index=bar severity=* | eval foo=if(severity=="normal",1,0) | stats count as total, sum(foo) | rename sum(foo) as foo | eval percfoo=100*(foo/total) | gauge percfoo

Hope this helps,

d.

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...