I'm having trouble creating a chart overlay. Every example for a chart overlay is for a timechart, leading me to wonder if you can only overlay a timechart.
I have my data. Tool and Response are string values. I want to sort it by the two fields, then overlay a percentage value on top for how many times the Response is True.
The chart command below works for my initial chart. I have a chart counting the number of events by Tool.
| chart count by Tool, Response
How do I overlay a percentage value to show how many Responses are "true" for each Tool?
Try something like this (assuming values for field Response is either true
or false
your base search | chart count by Tool Response | addtotals | eval perc_true=round(true*100/Total,2) | table Tool true false perc_true
Then add perc_true as overlay field
Try something like this (assuming values for field Response is either true
or false
your base search | chart count by Tool Response | addtotals | eval perc_true=round(true*100/Total,2) | table Tool true false perc_true
Then add perc_true as overlay field
The command eval perc_true=round(true*100/Total,2) was exactly an answer that I was also looking for. The one thing I did notice, however, is that when I try to add a '%' sign after the number, it turns it into a string and I am unable to graph it on a chart anymore.
Example: In my query I have
week_percenttotal=round(lastweekproduct*100/total, 2)."%"
displays: 45.78% , etc. etc...
and this now becomes a string and I cannot overlay the data in my chart with other data.
That is correct. The values should be numeric for being charged. One workaround could be to include the % sign on the field name. ( eval "week_total%"=round(lastweekproduct*100/total, 2)
)
Thanks for the advice!
I wasn't using just true and false, here is a modification if you are reading this and have multiple fields, but the same issue.
your base search | chart count by Tool Response | addtotals | eval perc_true=round(('blocked'+'detected')*100/Total,0) | table Tool blocked detected unknown perc_true