Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Make a dashboard visual from calculated field

hollybross1219
Path Finder
‎02-28-2020 04:38 PM

Splunk n00b here with a question.

I have a query I would like to display on a bar graph dashboard visual. Here is the query:

index=wsi_tax_summary sourcetype=stash partnerId=* error_msg_service=* ein=* ein!="" tax_year=2019 capability=109* 
| eval error_msg_service = case(match(error_msg_service, "OK"), "Success", 1==1, "Fail") 
| stats dc(intuit_tid) as Total by partnerId error_msg_service 
| chart limit=0 useother=f sum(Total) as Total by partnerId error_msg_service 
| eval total_request = Fail + Success 
| eval "Success Rate" = round(((Success/total_request)*100),2) 
| fieldformat "Success Rate"=tostring('Success Rate')+"%" 
| sort "Success Rate"
| fields partnerId "Success Rate"

Since I'm aiming for a bar graph, the values on Y axis should be partnerId and the X axis should be a value called "Success Rate", which I created with several eval statements. When I click into "visual", nothing produces. Looks like I can only do it with a chart or timechart function

Anyone know how I can achieve this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-28-2020 05:06 PM 
 index=wsi_tax_summary sourcetype=stash partnerId=* error_msg_service=* ein=* ein!="" tax_year=2019 capability=109* 
 | eval error_msg_service = case(match(error_msg_service, "OK"), "Success", 1==1, "Fail") 
 | stats dc(intuit_tid) as Total by partnerId error_msg_service 
 | chart limit=0 useother=f sum(Total) as Total by partnerId error_msg_service 
 | eval total_request = Fail + Success 
 | eval "Success Rate" = round(((Success/total_request)*100),2) 
 | sort "Success Rate"
 | fields partnerId "Success Rate"

I think, you are not n00b .
try Visualization > Bar Chart

View solution in original post

0 Karma
Reply
Solved! Jump to solution

hollybross1219
Path Finder
‎03-02-2020 09:45 AM

Hey @to4kawa, thank you. I guess the fieldformat messed up the viz 🙂

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-02-2020 01:01 PM

I see, please accept the answer to close the question.

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-28-2020 05:06 PM 
 index=wsi_tax_summary sourcetype=stash partnerId=* error_msg_service=* ein=* ein!="" tax_year=2019 capability=109* 
 | eval error_msg_service = case(match(error_msg_service, "OK"), "Success", 1==1, "Fail") 
 | stats dc(intuit_tid) as Total by partnerId error_msg_service 
 | chart limit=0 useother=f sum(Total) as Total by partnerId error_msg_service 
 | eval total_request = Fail + Success 
 | eval "Success Rate" = round(((Success/total_request)*100),2) 
 | sort "Success Rate"
 | fields partnerId "Success Rate"

I think, you are not n00b .
try Visualization > Bar Chart

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...
Top