Splunk Search

## Result of a calc in a timechart

Engager

Hello,

I'm trying to make an availability graph based on the below calculation:

index="MYINDEX" host="MYHOST" NOT "UNWANTED_VHOST" | stats count(eval(status="500" OR status="501" OR status="502" OR status="503" OR status="504" OR status="505" OR status="506" OR status="507" OR status="508" OR status="509" OR status="510" OR status="511")) as error count(eval(status="200")) as good | head 100 | eval calc = (100/(good+error))*good | stats sum(calc) as Disponibilitรฉ

The calculation is Ok but I'm not coming to create a timechart where the evolution of "Disponibilitรฉ" is calculated day by day.

Do you have any idea of how I can do that ?

Regards,

Tags (3)
1 Solution
Engager

Thanks for your quick answers @efavreau, @nickhillscpl ๐

With your help I've found the solution for my case and I put it below if it's can help somebody :

``````index="MY_INDEX" host="MY_HOST" NOT "UNWANTED_VHOST"  |  timechart span=1Month count(eval(status>500)) as error count(eval(status="200")) as good | head 100 | eval calc = (100/(good+error))*good | table _time calc
``````

Have a nice day

Engager

Thanks for your quick answers @efavreau, @nickhillscpl ๐

With your help I've found the solution for my case and I put it below if it's can help somebody :

``````index="MY_INDEX" host="MY_HOST" NOT "UNWANTED_VHOST"  |  timechart span=1Month count(eval(status>500)) as error count(eval(status="200")) as good | head 100 | eval calc = (100/(good+error))*good | table _time calc
``````

Have a nice day

Ultra Champion

I'm not exactly sure how you want to represent this data, maybe this is what you are looking for, but in any case its a simpler search.

Try the following and let us know how you would like to represent it.

``````index="MY_INDEX" host="MY_HOST" NOT "UNWANTED_VHOST"
| eval result=case(status>500, "error", status=200, "good",1=1,"unknown")
| timechart count by result
``````
Builder

@tmeriadec Try changing your last line to achieve what you're looking for. The `Timechart` command is similar to `stats`, but includes _time in its use automatically, whereas using `stats` you would have to account for this on your own. The `span=1d` is to set your time bucketing into 1 day bins.

``````| timechart span=1d sum(calc) AS Disponibilitรฉ
``````
###

If this reply helps you, an upvote would be appreciated.