Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to calculate a percentage for my timechart?

k_harini
Communicator
‎11-22-2016 06:03 AM

I have to calculate % of SLA missed over time.

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status |addtotals| foreach * [eval sla_perc = count * 100 /Total]

Not sure why this is not working. Please help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 06:50 AM

Try this

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status | addtotals| foreach * [eval <<FIELD>>=if(<<FIELD>>==Total, <<FIELD>>, <<FIELD>>/Total)]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 06:50 AM

Try this

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status | addtotals| foreach * [eval <<FIELD>>=if(<<FIELD>>==Total, <<FIELD>>, <<FIELD>>/Total)]
0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:25 AM

which field should i compare with Total.. I just need %.. (count/total)*100 for all values...

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 09:31 AM

<<FIELD>> represents each field in the "table". In this case, it will exclude fieldName=Total. Are you not seeing correct results?

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:38 AM

ok thanks.. I'm not getting results.. 😞

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 10:18 AM

If the field names are numerical, enclose <<FIELD>> within single quotes - '<<FIELD>>'

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 10:56 AM

Thank you so much.. it worked.. foreach * [eval <>=round('<>'*100/Total].. I was struggling with this for such a long time..

0 Karma
Reply
Solved! Jump to solution

PPape
Contributor
‎11-22-2016 06:14 AM

1.) what is the result you get?
2.) in your foreach [eval sla_perc = count 100 /Total] statement... shouldnt the count be a sla_count?
Asking because in the timechart you define count as sla_count "|timechart count as sla_count by sla_status "

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:24 AM

I get results till Total.. Not getting %.. yes.. it was sla_count.. First did with count and then tried with alias too.. Not working

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...