Splunk Search

Create a Timechart to compare values from computation using multisearch and after stats

andres91302
Communicator

Hello guys  I am trying to create a timechart in my dashboard where I can show the percentage of people that enter my website and made a purchase  this calculation is equal to = amount_purchase/total_amount and my code looks like this:

 

| multisearch
[| search index="A"
| search IN_PEOPLE="gate_10"]
[|search index="CATALOGUE"
| search ACC="pur_ok"]
| streamstats c(IN_PEOPLE) as IN, c(ACC) as OUT
| eval rate=OUT/IN

 

now that rate was been calculated I want a timechart that can show me the value of rate for the last 10 days I was trying with the following code

 

| multisearch
[| search index="A"
| search IN_PEOPLE="gate_10"]
[|search index="CATALOGUE"
| search ACC="pur_ok"]
| streamstats c(IN_PEOPLE) as IN, c(ACC) as OUT
| eval rate=OUT/IN
| timechart span=1d max(rate) as rate

 


BUT is not showing what I am looking for due to that it will give the max value of rate recorded but what I want is the overall rate of yesterday and the day before and so on.. to give you guys an example the rate for yesterday (abril 19 from 00:00 to 24:00) was 0.78 but my code is giving me 1 because I guess at some point it was a 1 the max value of rate

thank you so much to anyone that can help me out, I trullly from the bottom of my heart appreaciate your help


 

  


Labels (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!