Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rounding numbers in a timechart

Runals
Motivator
‎10-18-2012 07:28 AM

I am trying to show on a line graph the percentage of failed login attempts in an authentication stream of events. Everything works but i just assume round the results when in the table view. I've tried inserting round() in a couple places but splunk yells at me for not having _time, not having any fields, or other reasons based on where I try to insert the function. The reality is having the decimal places doesn't detract in the line graph view but I've spent too long on this to just drop it 🙂

My search is designed to grab the eventtypes for authentication success and failure. Because those events also have additional eventtypes associated with them I have used the following to trim back to just the eventtypes I want to count. The math is basiclaly (failure / (failure+success))*100.

...| timechart eval(count(eval(eventtype="authentication_failure")) / (count(eval(eventtype="authentication_failure")) + count(eval(eventtype="authentication_success")))*100) AS rate

I can add a pipe on the end and do an "eval rate=round(rate)" but then you can't drill down into the results. If there is a better way to do this I'm all ears.

Mark

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎10-18-2012 07:35 AM

I don't believe that automatic row drill down is smart enough to handle this case, so if you're running this search from the flashtimeline, you're going to have to choose between a pretty-printed, rounded rate or a working row drill down.

If you want both, you'll have to build a view with a Custom drill down behavior against the SimpleResultsTable module where the results will be displayed.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎10-18-2012 07:35 AM

I don't believe that automatic row drill down is smart enough to handle this case, so if you're running this search from the flashtimeline, you're going to have to choose between a pretty-printed, rounded rate or a working row drill down.

If you want both, you'll have to build a view with a Custom drill down behavior against the SimpleResultsTable module where the results will be displayed.

Reply
Solved! Jump to solution

Runals
Motivator
‎10-18-2012 07:39 AM

Got ya. Thanks for the answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...