Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add a calculated column to a chart

cheecheng
Engager
‎12-13-2021 04:00 PM

Hello, I have the following query.

<base query> | rex field=msg "HTTP/1.1\\\" (?<http_status>\d{3})" 
| where http_status=200 OR http_status=401 
| eval event_date=strftime(_time, "%x") 
| chart count over event_date by http_status 
| eval "401 percentage" = round('401'*100/('200'+'401'),2)."%"

 

that gives me the following table

event_date 200 401 401 percentage
========== === === ==============
11/28/21   61  24  28.24%
11/29/21   295 96  24.55%


However, when I go to Visualization, I don't see "401 percentage" on the line chart, but I see the "401 percentage" legend. Any idea why and how to get "401 percentage" to show up on the chart?

Also, currently, the column header for http_status is the value 200 & 401. How do I change the column headers to "HTTP 200" & "HTTP 401"?

Thank you. I'd greatly appreciate the help!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-14-2021 01:53 AM

Try not adding "%" to the field value so that it remains numeric rather than becoming a string

Try rename '401' as "HTTP 401" etc.

View solution in original post

Reply
Solved! Jump to solution

johnhuang
Motivator
‎12-15-2021 07:25 AM

Keep in mind that your largest value is 294 so your chart will be in a range of 0-400 or so. The value of 28% = 0.28 in decimal. It is so small that you can't see it.

What you can do is click on the "Chart Overlay" and add the "401 percentage" on its own Axis/range.

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-14-2021 01:53 AM

Try not adding "%" to the field value so that it remains numeric rather than becoming a string

Try rename '401' as "HTTP 401" etc.

Reply
Solved! Jump to solution

cheecheng
Engager
‎12-15-2021 07:06 AM

I removed the "%" and the values showed up on the chart. Thank you. However, Rename doesn't work. The column header is still 200 & 401. Below is the new query,

<base query> | rex field=msg "HTTP/1.1\\\" (?<http_status>\d{3})" 
| where http_status=200 OR http_status=401 
| eval event_date=strftime(_time, "%x") 
| chart count over event_date by http_status 
| eval "401 percentage" = round('401'*100/('200'+'401'),2) 
| rename '401' as "HTTP 401", '200' as "HTTP 200"

 

Do you know what's wrong with the rename? Thank you.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-15-2021 07:40 AM

Also, remember that you can show a string representation of a field while still keeping it numeric. For example

| fieldformat percentage=(percentage.'%')
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...
Top