Splunk Search

How to overlay a percentage value on a chart (not timechart)?

AndySplunks
Communicator

I'm having trouble creating a chart overlay. Every example for a chart overlay is for a timechart, leading me to wonder if you can only overlay a timechart.

I have my data. Tool and Response are string values. I want to sort it by the two fields, then overlay a percentage value on top for how many times the Response is True.

The chart command below works for my initial chart. I have a chart counting the number of events by Tool.

|  chart count by Tool, Response

How do I overlay a percentage value to show how many Responses are "true" for each Tool?

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this (assuming values for field Response is either true or false

your base search | chart count by Tool Response | addtotals | eval perc_true=round(true*100/Total,2) | table Tool true false perc_true

Then add perc_true as overlay field

View solution in original post

somesoni2
Revered Legend

Try something like this (assuming values for field Response is either true or false

your base search | chart count by Tool Response | addtotals | eval perc_true=round(true*100/Total,2) | table Tool true false perc_true

Then add perc_true as overlay field

demkic
Explorer

The command eval perc_true=round(true*100/Total,2) was exactly an answer that I was also looking for. The one thing I did notice, however, is that when I try to add a '%' sign after the number, it turns it into a string and I am unable to graph it on a chart anymore.

Example: In my query I have

week_percenttotal=round(lastweekproduct*100/total, 2)."%"

displays: 45.78% , etc. etc...

and this now becomes a string and I cannot overlay the data in my chart with other data.

0 Karma

somesoni2
Revered Legend

That is correct. The values should be numeric for being charged. One workaround could be to include the % sign on the field name. ( eval "week_total%"=round(lastweekproduct*100/total, 2) )

0 Karma

demkic
Explorer

Thanks for the advice!

0 Karma

AndySplunks
Communicator

I wasn't using just true and false, here is a modification if you are reading this and have multiple fields, but the same issue.

your base search | chart count by Tool Response | addtotals | eval perc_true=round(('blocked'+'detected')*100/Total,0) | table Tool blocked detected unknown perc_true
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...