Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to calculate a percentage for my timechart?

k_harini
Communicator
‎11-22-2016 06:03 AM

I have to calculate % of SLA missed over time.

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status |addtotals| foreach * [eval sla_perc = count * 100 /Total]

Not sure why this is not working. Please help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 06:50 AM

Try this

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status | addtotals| foreach * [eval <<FIELD>>=if(<<FIELD>>==Total, <<FIELD>>, <<FIELD>>/Total)]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 06:50 AM

Try this

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status | addtotals| foreach * [eval <<FIELD>>=if(<<FIELD>>==Total, <<FIELD>>, <<FIELD>>/Total)]
0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:25 AM

which field should i compare with Total.. I just need %.. (count/total)*100 for all values...

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 09:31 AM

<<FIELD>> represents each field in the "table". In this case, it will exclude fieldName=Total. Are you not seeing correct results?

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:38 AM

ok thanks.. I'm not getting results.. 😞

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 10:18 AM

If the field names are numerical, enclose <<FIELD>> within single quotes - '<<FIELD>>'

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 10:56 AM

Thank you so much.. it worked.. foreach * [eval <>=round('<>'*100/Total].. I was struggling with this for such a long time..

0 Karma
Reply
Solved! Jump to solution

PPape
Contributor
‎11-22-2016 06:14 AM

1.) what is the result you get?
2.) in your foreach [eval sla_perc = count 100 /Total] statement... shouldnt the count be a sla_count?
Asking because in the timechart you define count as sla_count "|timechart count as sla_count by sla_status "

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:24 AM

I get results till Total.. Not getting %.. yes.. it was sla_count.. First did with count and then tried with alias too.. Not working

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...