Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a rate on a timechart with two measures?

taynord
Engager
‎07-13-2019 11:47 AM

Works just fine

| timechart  count  by orderLineState
| eval cancelRate=round((cancelled/(cancelled+released))*100,2)

But when I add a second measure in the time chart I can't figure out how to get values I need back out for the cancelRate

| timechart max(node) as m_node count  by orderLineState
| eval cancelRate=round((cancelled/(cancelled+released))*100,2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2019 01:22 PM

Pay attention to the field names produced by the timechart, likely count: cancelled etc.

... | eval cancelRate = round(('count: cancelled' / ('count: cancelled' + 'count: released')) * 100, 2)

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-13-2019 02:53 PM

Like this:

index=_* component IN("Metrics", "PerProcess")
|  eval component=if(component=="Metrics", "released", "cancelled")
| rename component as orderLineState

| rename COMMENT AS "everything above generates sample events; everything below is your solution"

| timechart  count max(date_hour) AS m_node BY orderLineState
| eval cancelRate=round(('count: cancelled' / ('count: cancelled' + 'count: released')) * 100, 2)
0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2019 01:22 PM

Pay attention to the field names produced by the timechart, likely count: cancelled etc.

... | eval cancelRate = round(('count: cancelled' / ('count: cancelled' + 'count: released')) * 100, 2)
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...