Splunk Search

Calculating percentage and placing in a radial gauge

ronmurphy
New Member

I am trying to a radial gauge to report a percentage. I've built my search and the field that I want to report on has 4 different values.

I have my basic search and then the following:

| stats count by myfield | gauge count by myfield=normal*

which gives me a gauge value of 4 but that only reflect the total different values of the field "severity".

I've tried to place an eval but it doesn't take

| stats count myfield1 as (search severity=normal) 
| stats count myfield2 as (search severity="*") 
| eval myfield=100*(myfield1/myfield2) 
| gauge myfield 
Tags (1)
0 Karma

jwch
Explorer

I used something like this:

search
| dedup ID
| eval breached = if(SLA = "Breached", 1, 0)
| eval active = if(SLA = "Active", 1, 0)
| eval met = if(SLA = "Met", 1, 0)
| eval total = 1
| stats sum(breached) AS sum_breached, sum(active) AS sum_active, sum(met) AS sum_met, sum(total) AS sum_total
| eval perc_breached=((sum_breached/sum_total)*100)
| eval perc_active=((sum_active/sum_total)*100)
| eval perc_met=((sum_met/sum_total)*100)
| gauge perc_met

0 Karma

ronmurphy
New Member

This really helps. Now what I'm trying to do is timechart these percentages, however the timechart function only seems to work on registered fields.

0 Karma

_d_
Splunk Employee
Splunk Employee

Something like this should work:

index=bar severity=* | eval foo=if(severity=="normal",1,0) | stats count as total, sum(foo) | rename sum(foo) as foo | eval percfoo=100*(foo/total) | gauge percfoo

Hope this helps,

d.

Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...