Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create top command results in timechart...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to make a timechart to show percentage of error rates over a given time period. What I am looking for from a visualization perspective is a line chart that shows for any binned time period, what the total count of a specific error was, and what the overall percentage that was, and to have the chart be drawn based on the percentage.
Ideally, I'd have both counts and percents on the same chart, but percentage is the important one so I can calculate percentage error over a given timeperiod.
So far, my query is as follows:
Initial Search to create the necessary variables|table errorCode _time|bin span=5m _time| eventstats count as total by _time
| stats count values(total) as total by _time, errorCode
errorCode contains a variety of values, with one value corresponding to success. In theory this should give me a table that looks like
_time errorCode count total
Bucket1 ErrorCode1 X X+Y+Z
Bucket1 ErrorCode2 Y X+Y+Z
Bucket1 Success Z X+Y+Z
From there I would be able to use an eval perc=count/total*100 to be able to build the timechart. However, the total column is incorrect and does not result in the correct values. What would be a better way to build this query out, and is it possible to have the chart be drawn based on percent, but have in any given tooltip percent and count values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
Initial Search to create the necessary variables
| bin span=5m _time
| table errorCode _time
| stats count by _time, errorCode
| eventstats sum(count) as total by _time
| eval perc=round((count*100)/total,2)
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
Initial Search to create the necessary variables
| bin span=5m _time
| table errorCode _time
| stats count by _time, errorCode
| eventstats sum(count) as total by _time
| eval perc=round((count*100)/total,2)
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, it works.
If I add in a |timechart values(perc) by errorCode it creates a visualization.
Thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
