Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dynamic number of timecharts of field values by another field

j4adam
Communicator
‎11-07-2017 11:03 AM

Sorry if the description isn't clear. Essentially, I'm making a dashboard to display the trends of a project from a list of projects. Each project has multiple tests that can be run with each test having multiple possible results (pass, fail, warning). I currently have a dashboard showing the trend of all tests across time as a general trend using this:

| timechart count by test_result | untable _time test_result count | eventstats sum(count) as Total by _time | eval perc=round(count*100/Total,2) | table _time test_result perc | xyseries _time test_result perc

What I would like to do is below this have a timechart of each test showing the individual test results over time. The new trellis option seems like it should be the answer to my question, but I haven't had any luck.

Basically the goal is the same search above but trellised out into individual timecharts per test_name rather than all of them in one.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎11-07-2017 12:16 PM

Try something like this as your base search...

your search here
| bin _time span=15m
| stats count as resultcount by _time test_name test_result
| eventstats sum(resultcount) as totalcount by _time test_name
| eval {test_result} = round(resultcount/totalcount,2)
| fields -  resultcount totalcount
| stats values(*) as * by _time test_name

Adjust the span as needed.

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎11-07-2017 12:16 PM

Try something like this as your base search...

your search here
| bin _time span=15m
| stats count as resultcount by _time test_name test_result
| eventstats sum(resultcount) as totalcount by _time test_name
| eval {test_result} = round(resultcount/totalcount,2)
| fields -  resultcount totalcount
| stats values(*) as * by _time test_name

Adjust the span as needed.

Reply
Solved! Jump to solution

j4adam
Communicator
‎11-07-2017 12:25 PM

wow, that did it!

Reply
Solved! Jump to solution

niketn
Legend
‎11-07-2017 11:47 AM

@j4adam, refer to the following FEATURE REQUEST for Trellis Layout with Timechart. Since _time becomes one of the series for depiction in Timechart, you can either use test_result or perc but not both while splitting the chart.

https://answers.splunk.com/answers/588081/feature-request-trellis-timechart-with-color-by-fi.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

nileena
Path Finder
‎11-07-2017 11:23 AM

Have you tried running timechart after calculating percentage, and then using the trellis visualization?

| timechart count by test_result | untable _time test_result count | eventstats sum(count) as Total by _time | eval perc=round(count*100/Total,2) | timechart values(perc) AS perc by test_result

Reply
Solved! Jump to solution

j4adam
Communicator
‎11-07-2017 11:36 AM

Thanks for the reply! That still ends up creating a trellis of the 3 (timechart for fails, for passes for warnings) with the percentages of each. What I need is a timechart for each test that contains the trends of each of the pass/fail/warning in the same chart.

0 Karma
Reply
Solved! Jump to solution

nileena
Path Finder
‎11-07-2017 11:50 AM

Oh got it. So I assume you have another field (say, test) which indicates the test name or ID.
Also, assuming you can have 3 values for test_result: pass, fail and warning.
In which case, you could try:

| timechart count(test_result="pass") AS pass_count count(test_result="fail") AS fail_count count(test_result="warning") AS warning_count count AS Total by test | eval perc_pass=round(pass_count*100/Total,2) | eval perc_fail=round(fail_count*100/Total,2) | eval perc_warning=round(warning_count*100/Total,2) | timechart values(perc_pass) AS perc_pass values(perc_fail) AS perc_fail values(perc_warning) AS perc_warning by test

Does this make sense?

0 Karma
Reply
Solved! Jump to solution

j4adam
Communicator
‎11-07-2017 11:58 AM

It does make sense, kind of. I have a field named test_name. I see what you're trying to do here, but I'm not entirely sure what the result is when I run it. I've ended up with a trellis of test_names with values charted (big step here) but it's just "Total" and "warning" but Warning is always 0 and Total has spikes that go back to 0 immediate after a single point after this portion: | eval perc_pass=round(pass_count*100/Total,2) | eval perc_fail=round(fail_count*100/Total,2) | eval perc_warning=round(warning_count*100/Total,2) If I add the other stuff it does not work unless I have just a single value and that also only shows one result.

0 Karma
Reply
Solved! Jump to solution

nileena
Path Finder
‎11-07-2017 12:14 PM

Could you try specifying the span for both time charts? (The same span for both)

0 Karma
Reply
Solved! Jump to solution

j4adam
Communicator
‎11-07-2017 12:26 PM

Changing the span didn't work unfortunately. However DalJeanis seems to have figured it out. Now to process how that worked...

Thanks for the help, though!

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top