Solved: How to create a rate on a timechart with two measu...

taynord · ‎07-13-2019

Works just fine

| timechart  count  by orderLineState
| eval cancelRate=round((cancelled/(cancelled+released))*100,2)

But when I add a second measure in the time chart I can't figure out how to get values I need back out for the cancelRate

| timechart max(node) as m_node count  by orderLineState
| eval cancelRate=round((cancelled/(cancelled+released))*100,2)

martin_mueller · ‎07-13-2019

Pay attention to the field names produced by the timechart, likely count: cancelled etc.

... | eval cancelRate = round(('count: cancelled' / ('count: cancelled' + 'count: released')) * 100, 2)

View solution in original post

woodcock · ‎07-13-2019

Like this:

index=_* component IN("Metrics", "PerProcess")
|  eval component=if(component=="Metrics", "released", "cancelled")
| rename component as orderLineState

| rename COMMENT AS "everything above generates sample events; everything below is your solution"

| timechart  count max(date_hour) AS m_node BY orderLineState
| eval cancelRate=round(('count: cancelled' / ('count: cancelled' + 'count: released')) * 100, 2)

martin_mueller · ‎07-13-2019

Pay attention to the field names produced by the timechart, likely count: cancelled etc.

... | eval cancelRate = round(('count: cancelled' / ('count: cancelled' + 'count: released')) * 100, 2)

How to create a rate on a timechart with two measures?

Get Operational Insights Quickly with Natural Language on the Splunk Platform

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2

Are you a member of the Splunk Community?

How to create a rate on a timechart with two measures?

Get Operational Insights Quickly with Natural Language on the Splunk Platform

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2