Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add a calculated column to a chart

cheecheng
Engager
‎12-13-2021 04:00 PM

Hello, I have the following query.

<base query> | rex field=msg "HTTP/1.1\\\" (?<http_status>\d{3})" 
| where http_status=200 OR http_status=401 
| eval event_date=strftime(_time, "%x") 
| chart count over event_date by http_status 
| eval "401 percentage" = round('401'*100/('200'+'401'),2)."%"

 

that gives me the following table

event_date 200 401 401 percentage
========== === === ==============
11/28/21   61  24  28.24%
11/29/21   295 96  24.55%


However, when I go to Visualization, I don't see "401 percentage" on the line chart, but I see the "401 percentage" legend. Any idea why and how to get "401 percentage" to show up on the chart?

Also, currently, the column header for http_status is the value 200 & 401. How do I change the column headers to "HTTP 200" & "HTTP 401"?

Thank you. I'd greatly appreciate the help!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-14-2021 01:53 AM

Try not adding "%" to the field value so that it remains numeric rather than becoming a string

Try rename '401' as "HTTP 401" etc.

View solution in original post

Reply
Solved! Jump to solution

johnhuang
Motivator
‎12-15-2021 07:25 AM

Keep in mind that your largest value is 294 so your chart will be in a range of 0-400 or so. The value of 28% = 0.28 in decimal. It is so small that you can't see it.

What you can do is click on the "Chart Overlay" and add the "401 percentage" on its own Axis/range.

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-14-2021 01:53 AM

Try not adding "%" to the field value so that it remains numeric rather than becoming a string

Try rename '401' as "HTTP 401" etc.

Reply
Solved! Jump to solution

cheecheng
Engager
‎12-15-2021 07:06 AM

I removed the "%" and the values showed up on the chart. Thank you. However, Rename doesn't work. The column header is still 200 & 401. Below is the new query,

<base query> | rex field=msg "HTTP/1.1\\\" (?<http_status>\d{3})" 
| where http_status=200 OR http_status=401 
| eval event_date=strftime(_time, "%x") 
| chart count over event_date by http_status 
| eval "401 percentage" = round('401'*100/('200'+'401'),2) 
| rename '401' as "HTTP 401", '200' as "HTTP 200"

 

Do you know what's wrong with the rename? Thank you.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-15-2021 07:40 AM

Also, remember that you can show a string representation of a field while still keeping it numeric. For example

| fieldformat percentage=(percentage.'%')
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...