- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Dynamic number of timecharts of field values b...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry if the description isn't clear. Essentially, I'm making a dashboard to display the trends of a project from a list of projects. Each project has multiple tests that can be run with each test having multiple possible results (pass, fail, warning). I currently have a dashboard showing the trend of all tests across time as a general trend using this:
| timechart count by test_result | untable _time test_result count | eventstats sum(count) as Total by _time | eval perc=round(count*100/Total,2) | table _time test_result perc | xyseries _time test_result perc
What I would like to do is below this have a timechart of each test showing the individual test results over time. The new trellis option seems like it should be the answer to my question, but I haven't had any luck.
Basically the goal is the same search above but trellised out into individual timecharts per test_name rather than all of them in one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this as your base search...
your search here
| bin _time span=15m
| stats count as resultcount by _time test_name test_result
| eventstats sum(resultcount) as totalcount by _time test_name
| eval {test_result} = round(resultcount/totalcount,2)
| fields - resultcount totalcount
| stats values(*) as * by _time test_name
Adjust the span as needed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this as your base search...
your search here
| bin _time span=15m
| stats count as resultcount by _time test_name test_result
| eventstats sum(resultcount) as totalcount by _time test_name
| eval {test_result} = round(resultcount/totalcount,2)
| fields - resultcount totalcount
| stats values(*) as * by _time test_name
Adjust the span as needed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wow, that did it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@j4adam, refer to the following FEATURE REQUEST for Trellis Layout with Timechart. Since _time becomes one of the series for depiction in Timechart, you can either use test_result or perc but not both while splitting the chart.
https://answers.splunk.com/answers/588081/feature-request-trellis-timechart-with-color-by-fi.html
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried running timechart after calculating percentage, and then using the trellis visualization?
| timechart count by test_result | untable _time test_result count | eventstats sum(count) as Total by _time | eval perc=round(count*100/Total,2) | timechart values(perc) AS perc by test_result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply! That still ends up creating a trellis of the 3 (timechart for fails, for passes for warnings) with the percentages of each. What I need is a timechart for each test that contains the trends of each of the pass/fail/warning in the same chart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh got it. So I assume you have another field (say, test) which indicates the test name or ID.
Also, assuming you can have 3 values for test_result: pass, fail and warning.
In which case, you could try:
| timechart count(test_result="pass") AS pass_count count(test_result="fail") AS fail_count count(test_result="warning") AS warning_count count AS Total by test | eval perc_pass=round(pass_count*100/Total,2) | eval perc_fail=round(fail_count*100/Total,2) | eval perc_warning=round(warning_count*100/Total,2) | timechart values(perc_pass) AS perc_pass values(perc_fail) AS perc_fail values(perc_warning) AS perc_warning by test
Does this make sense?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It does make sense, kind of. I have a field named test_name. I see what you're trying to do here, but I'm not entirely sure what the result is when I run it. I've ended up with a trellis of test_names with values charted (big step here) but it's just "Total" and "warning" but Warning is always 0 and Total has spikes that go back to 0 immediate after a single point after this portion: | eval perc_pass=round(pass_count*100/Total,2) | eval perc_fail=round(fail_count*100/Total,2) | eval perc_warning=round(warning_count*100/Total,2) If I add the other stuff it does not work unless I have just a single value and that also only shows one result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you try specifying the span for both time charts? (The same span for both)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changing the span didn't work unfortunately. However DalJeanis seems to have figured it out. Now to process how that worked...
Thanks for the help, though!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
