Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to graph only a certain column of timechart?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to graph only a certain column of timechart?
I'm still a noob to writing splunk searches so please bear with me. 🙂
I have a search that's currently generating 3 columns - but I really just want the last bit (which is the post calculation percentage). I believe I'm going about this completely wrong, as I think I should be doing calculation first, then the timechart at the end.
I was hoping someone could take a look at my existing search statement(s) and help fix it.
search:
index="http_index" cs_uri="http://foo.bar"
| timechart span=1h count(eval(s_cachestatus="CACHE_MISS" OR s_cachestatus="CACHE_REVALIDATED_MISS")) AS cache_miss, count(eval(s_cachestatus="CACHE_HIT" OR s_cachestatus="CACHE_REVALIDATED_HIT" OR s_cachestatus="CACHE_MEM_HIT" OR s_cachestatus="CACHE_REVALIDATED_MEM_HIT")) as cache_hit
| eval cache_hit_ratio=(100*cache_hit/(cache_hit+cache_miss))
So, this plots down the 3 numbers: cache_hit, cache_miss, and the calculated ratio percentage between the two. All I want to chart in the timechart is the ratio%. Help? 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If anyone has a more efficient way to this, please please post 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like this did it:
index="http_index" cs_uri="http://foo.bar" | timechart span=1h count(eval(s_cachestatus="CACHE_MISS" OR s_cachestatus="CACHE_REVALIDATED_MISS")) AS cache_miss, count(eval(s_cachestatus="CACHE_HIT" OR s_cachestatus="CACHE_REVALIDATED_HIT" OR s_cachestatus="CACHE_MEM_HIT" OR s_cachestatus="CACHE_REVALIDATED_MEM_HIT")) as cache_hit | eval cache_hit_ratio=(100*cache_hit/(cache_hit+cache_miss)) | timechart span=1h per_hour(cache_hit_ratio)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Might have solved it myself:
index="http_index" cs_uri="http://foo.bar"
| timechart span=1h count(eval(s_cachestatus="CACHE_MISS" OR s_cachestatus="CACHE_REVALIDATED_MISS")) AS cache_miss, count(eval(s_cachestatus="CACHE_HIT" OR s_cachestatus="CACHE_REVALIDATED_HIT" OR s_cachestatus="CACHE_MEM_HIT" OR s_cachestatus="CACHE_REVALIDATED_MEM_HIT")) as cache_hit
| eval cache_hit_ratio=(100*cache_hit/(cache_hit+cache_miss))
| timechart span=1h per_hour(cache_hit_ratio)
Seems to be generating kind of what I want...just going to confirm the #s are right using the per_hour func. 😛
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
