Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I represent an Eval result with timechart?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rafasalo
Engager
12-08-2015
01:36 AM
Hi,
With the support of Splunk's community, I have this search below. However, right now I would like to take the result and use the timechart command so I can see each hour. How do I do this?
index= "index_cbo_pt" "AcquirerResponseCode=0" | stats count as Result1 | appendcols [search index= "index_cbo_pt" "AcquirerResponseCode=0" | stats dc(MerchantCheckoutId) as Result2] | eval finalValue = Result1/Result2 | table finalValue Result1 Result2
Can somebody help me?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
polymorphic
Communicator
12-08-2015
01:48 AM
Im not sure why you want to do the 'appencols' in this search.
This should be the solution:
index=index_cbo_pt AcquirerResponseCode=0
| timechart span=1h count as Result1 dc(MerchantCheckoutId) as Result2
| eval finalValue = Result1/Result2
| fields _time finalValue Result1 Result2
Try it out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
12-08-2015
01:52 AM
Timechart requires a timestamp so remove the table line and use
timechart list(finalValue) WHATEVEROTHERPARAMETERSYOUWANT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rafasalo
Engager
12-08-2015
12:57 PM
I've tried the query bellow and haven't worked.
index= "index_cbo_pt" "AcquirerResponseCode=0" | stats count as Result1 | appendcols [search index= "index_cbo_pt" "AcquirerResponseCode=0" | stats dc(MerchantCheckoutId) as Result2] | eval finalValue = Result1/Result2 | timechart list(finalValue) count
thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
12-09-2015
01:39 AM
You don't need the last 'count'. Simply define a span and let the list represent all your values
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
polymorphic
Communicator
12-08-2015
01:48 AM
Im not sure why you want to do the 'appencols' in this search.
This should be the solution:
index=index_cbo_pt AcquirerResponseCode=0
| timechart span=1h count as Result1 dc(MerchantCheckoutId) as Result2
| eval finalValue = Result1/Result2
| fields _time finalValue Result1 Result2
Try it out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rafasalo
Engager
12-08-2015
12:53 PM
Thank your! It works!!
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
