Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to add a calculated column to a chart

cheecheng
Engager
‎12-13-2021 04:00 PM

Hello, I have the following query.

<base query> | rex field=msg "HTTP/1.1\\\" (?<http_status>\d{3})" 
| where http_status=200 OR http_status=401 
| eval event_date=strftime(_time, "%x") 
| chart count over event_date by http_status 
| eval "401 percentage" = round('401'*100/('200'+'401'),2)."%"

 

that gives me the following table

event_date 200 401 401 percentage
========== === === ==============
11/28/21   61  24  28.24%
11/29/21   295 96  24.55%


However, when I go to Visualization, I don't see "401 percentage" on the line chart, but I see the "401 percentage" legend. Any idea why and how to get "401 percentage" to show up on the chart?

Also, currently, the column header for http_status is the value 200 & 401. How do I change the column headers to "HTTP 200" & "HTTP 401"?

Thank you. I'd greatly appreciate the help!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-14-2021 01:53 AM

Try not adding "%" to the field value so that it remains numeric rather than becoming a string

Try rename '401' as "HTTP 401" etc.

View solution in original post

Reply
Solved! Jump to solution

johnhuang
Motivator
‎12-15-2021 07:25 AM

Keep in mind that your largest value is 294 so your chart will be in a range of 0-400 or so. The value of 28% = 0.28 in decimal. It is so small that you can't see it.

What you can do is click on the "Chart Overlay" and add the "401 percentage" on its own Axis/range.

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-14-2021 01:53 AM

Try not adding "%" to the field value so that it remains numeric rather than becoming a string

Try rename '401' as "HTTP 401" etc.

Reply
Solved! Jump to solution

cheecheng
Engager
‎12-15-2021 07:06 AM

I removed the "%" and the values showed up on the chart. Thank you. However, Rename doesn't work. The column header is still 200 & 401. Below is the new query,

<base query> | rex field=msg "HTTP/1.1\\\" (?<http_status>\d{3})" 
| where http_status=200 OR http_status=401 
| eval event_date=strftime(_time, "%x") 
| chart count over event_date by http_status 
| eval "401 percentage" = round('401'*100/('200'+'401'),2) 
| rename '401' as "HTTP 401", '200' as "HTTP 200"

 

Do you know what's wrong with the rename? Thank you.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-15-2021 07:40 AM

Also, remember that you can show a string representation of a field while still keeping it numeric. For example

| fieldformat percentage=(percentage.'%')
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...