- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Dynamic number of timecharts of field values b...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry if the description isn't clear. Essentially, I'm making a dashboard to display the trends of a project from a list of projects. Each project has multiple tests that can be run with each test having multiple possible results (pass, fail, warning). I currently have a dashboard showing the trend of all tests across time as a general trend using this:
| timechart count by test_result | untable _time test_result count | eventstats sum(count) as Total by _time | eval perc=round(count*100/Total,2) | table _time test_result perc | xyseries _time test_result perc
What I would like to do is below this have a timechart of each test showing the individual test results over time. The new trellis option seems like it should be the answer to my question, but I haven't had any luck.
Basically the goal is the same search above but trellised out into individual timecharts per test_name rather than all of them in one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this as your base search...
your search here
| bin _time span=15m
| stats count as resultcount by _time test_name test_result
| eventstats sum(resultcount) as totalcount by _time test_name
| eval {test_result} = round(resultcount/totalcount,2)
| fields - resultcount totalcount
| stats values(*) as * by _time test_name
Adjust the span as needed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this as your base search...
your search here
| bin _time span=15m
| stats count as resultcount by _time test_name test_result
| eventstats sum(resultcount) as totalcount by _time test_name
| eval {test_result} = round(resultcount/totalcount,2)
| fields - resultcount totalcount
| stats values(*) as * by _time test_name
Adjust the span as needed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wow, that did it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@j4adam, refer to the following FEATURE REQUEST for Trellis Layout with Timechart. Since _time becomes one of the series for depiction in Timechart, you can either use test_result or perc but not both while splitting the chart.
https://answers.splunk.com/answers/588081/feature-request-trellis-timechart-with-color-by-fi.html
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried running timechart after calculating percentage, and then using the trellis visualization?
| timechart count by test_result | untable _time test_result count | eventstats sum(count) as Total by _time | eval perc=round(count*100/Total,2) | timechart values(perc) AS perc by test_result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply! That still ends up creating a trellis of the 3 (timechart for fails, for passes for warnings) with the percentages of each. What I need is a timechart for each test that contains the trends of each of the pass/fail/warning in the same chart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh got it. So I assume you have another field (say, test) which indicates the test name or ID.
Also, assuming you can have 3 values for test_result: pass, fail and warning.
In which case, you could try:
| timechart count(test_result="pass") AS pass_count count(test_result="fail") AS fail_count count(test_result="warning") AS warning_count count AS Total by test | eval perc_pass=round(pass_count*100/Total,2) | eval perc_fail=round(fail_count*100/Total,2) | eval perc_warning=round(warning_count*100/Total,2) | timechart values(perc_pass) AS perc_pass values(perc_fail) AS perc_fail values(perc_warning) AS perc_warning by test
Does this make sense?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It does make sense, kind of. I have a field named test_name. I see what you're trying to do here, but I'm not entirely sure what the result is when I run it. I've ended up with a trellis of test_names with values charted (big step here) but it's just "Total" and "warning" but Warning is always 0 and Total has spikes that go back to 0 immediate after a single point after this portion: | eval perc_pass=round(pass_count*100/Total,2) | eval perc_fail=round(fail_count*100/Total,2) | eval perc_warning=round(warning_count*100/Total,2) If I add the other stuff it does not work unless I have just a single value and that also only shows one result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you try specifying the span for both time charts? (The same span for both)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changing the span didn't work unfortunately. However DalJeanis seems to have figured it out. Now to process how that worked...
Thanks for the help, though!
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
