Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display calculated fields as part of same graph

pjbuchan596
Explorer
‎09-15-2017 12:07 PM

Hello, I'm attempting to display three calculated fields (total_meeting_hours, total_use_no_meeting_hours, and hours_not_in_use) as a part of a pie chart. Each of these fields should represent a calculated portion of the total pie chart, with their values given on mouse over and their field names showing as their labels for their respective portions on the graph.

I'm currently attempting to achieve this (seen below) by using mvappend to create a multi-value field (display_val) and then split on that field in the chart function. However when splitting by this field it displays the numeric time values for each of the fields instead of the field names (i.e "11.023" hour time instead of "total_meeting_hours"). How would I go about accomplishing this? I attempted to create a separate multi-value field and combine it with the other for labeling, but have so far been unable to do so. I'd greatly appreciate help!

| convert num(SM_C.value.data.elapsedTime) as use_duration num(SM_C.value.data.MeetingElapsedTime) as meeting_duration
| where (use_duration < 50000 and use_duration > 0)
| eval meeting_duration = if(meeting_duration < use_duration, meeting_duration, meeting_duration = 0)
| stats sum(use_duration) as total_duration sum(meeting_duration) as total_meeting_duration
| eval total_meeting_hours = (total_meeting_duration / 60 / 60)
| eval total_use_no_meeting_hours = (total_duration / 60 / 60) - total_meeting_hours
| eval hours_not_in_use = (168) - (total_duration / 60 / 60)
| eval display_val=(mvappend(hours_not_in_use, total_use_no_meeting_hours, total_meeting_hours))
| eval display_label=(mvappend("hours_not_in_use", "total_use_no_meeting_hours", "total_meeting_hours"))
| mvexpand display_val
| mvexpand display_label
| chart eval(sum(display_val) / 168) as Percentage by display_val
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
SplunkTrust
SplunkTrust
‎09-15-2017 03:17 PM

How about something like this ...

 | convert num(SM_C.value.data.elapsedTime) as use_duration
           num(SM_C.value.data.MeetingElapsedTime) as meeting_duration
 | where (use_duration < 50000 and use_duration > 0)
 | eval meeting_duration = if(meeting_duration < use_duration, meeting_duration, meeting_duration = 0)
 | stats sum(use_duration) as total_duration sum(meeting_duration) as total_meeting_duration

 | eval used_hours = round((total_meeting_duration / 3600),2)
 | eval reserved_hours = round((total_duration / 3600),2) 
 | eval unused_hours = 168-reserved_hours
 | eval reserved_unused = reserved_hours - used_hours

 | eval fan=mvrange(1,3.0001)
 | mvexpand fan
 | eval Usage=case(fan=1,"Used", fan="2","Reserved Not Used", fan=3,"Unused")
 | eval Value=case(fan=1,used_hours, fan="2",reserved_unused, fan=3,unused_hours)
 | chart sum(Value) by Usage

View solution in original post

0 Karma
Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-15-2017 03:47 PM

Hey @pjbuchan596, if DalJeanis solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
SplunkTrust
SplunkTrust
‎09-15-2017 03:17 PM

How about something like this ...

 | convert num(SM_C.value.data.elapsedTime) as use_duration
           num(SM_C.value.data.MeetingElapsedTime) as meeting_duration
 | where (use_duration < 50000 and use_duration > 0)
 | eval meeting_duration = if(meeting_duration < use_duration, meeting_duration, meeting_duration = 0)
 | stats sum(use_duration) as total_duration sum(meeting_duration) as total_meeting_duration

 | eval used_hours = round((total_meeting_duration / 3600),2)
 | eval reserved_hours = round((total_duration / 3600),2) 
 | eval unused_hours = 168-reserved_hours
 | eval reserved_unused = reserved_hours - used_hours

 | eval fan=mvrange(1,3.0001)
 | mvexpand fan
 | eval Usage=case(fan=1,"Used", fan="2","Reserved Not Used", fan=3,"Unused")
 | eval Value=case(fan=1,used_hours, fan="2",reserved_unused, fan=3,unused_hours)
 | chart sum(Value) by Usage
0 Karma
Reply
Solved! Jump to solution

pjbuchan596
Explorer
‎09-18-2017 05:37 AM

Thank you very much! That answer is what I needed to get it. I made a few changes to it to have it work with my data, as I'm separating room use into both "occupied in call / meeting" vs "occupied only", apart from the room being out of use. But eval's case() function was exactly the solution. Thanks! This was my final solution:

| convert num(SM_C.value.data.elapsedTime) as use_duration num(SM_C.value.data.MeetingElapsedTime) as meeting_duration
| where (use_duration < 50000 and use_duration > 0)
| eval meeting_duration = if(meeting_duration < use_duration, meeting_duration, meeting_duration = 0)
| stats sum(use_duration) as total_duration sum(meeting_duration) as total_meeting_duration

| eval meeting_hours = round((total_meeting_duration / 3600), 2)
| eval used_no_meeting_hours = round(((total_duration / 3600) - meeting_hours), 2)
| eval hours_not_in_use = round((168) - (total_duration / 3600), 2)

| eval fan=mvrange(1, 3.0001)
| mvexpand fan
| eval Usage=case(fan=1,"Occupied", fan=2,"Meeting/Call", fan=3,"Unoccupied")
| eval Value=case(fan=1,used_no_meeting_hours, fan=2,meeting_hours, fan=3,hours_not_in_use)
| chart sum(Value) by Usage

Reply
Solved! Jump to solution

DalJeanis
SplunkTrust
SplunkTrust
‎09-18-2017 06:15 AM

@pjbuchan596 - You're welcome. Thanks for posting the final solution. It helps folks to make their own connections.

I had understood "used-no-meeting" incorrectly, I had assumed that was when someone had reserved the room but not actually occupied it.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...