Splunk Search

Calculating percentage and placing in a radial gauge

ronmurphy
New Member

I am trying to a radial gauge to report a percentage. I've built my search and the field that I want to report on has 4 different values.

I have my basic search and then the following:

| stats count by myfield | gauge count by myfield=normal*

which gives me a gauge value of 4 but that only reflect the total different values of the field "severity".

I've tried to place an eval but it doesn't take

| stats count myfield1 as (search severity=normal) 
| stats count myfield2 as (search severity="*") 
| eval myfield=100*(myfield1/myfield2) 
| gauge myfield 
Tags (1)
0 Karma

jwch
Explorer

I used something like this:

search
| dedup ID
| eval breached = if(SLA = "Breached", 1, 0)
| eval active = if(SLA = "Active", 1, 0)
| eval met = if(SLA = "Met", 1, 0)
| eval total = 1
| stats sum(breached) AS sum_breached, sum(active) AS sum_active, sum(met) AS sum_met, sum(total) AS sum_total
| eval perc_breached=((sum_breached/sum_total)*100)
| eval perc_active=((sum_active/sum_total)*100)
| eval perc_met=((sum_met/sum_total)*100)
| gauge perc_met

0 Karma

ronmurphy
New Member

This really helps. Now what I'm trying to do is timechart these percentages, however the timechart function only seems to work on registered fields.

0 Karma

_d_
Splunk Employee
Splunk Employee

Something like this should work:

index=bar severity=* | eval foo=if(severity=="normal",1,0) | stats count as total, sum(foo) | rename sum(foo) as foo | eval percfoo=100*(foo/total) | gauge percfoo

Hope this helps,

d.

Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...