Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rounding numbers in a timechart

Runals
Motivator
‎10-18-2012 07:28 AM

I am trying to show on a line graph the percentage of failed login attempts in an authentication stream of events. Everything works but i just assume round the results when in the table view. I've tried inserting round() in a couple places but splunk yells at me for not having _time, not having any fields, or other reasons based on where I try to insert the function. The reality is having the decimal places doesn't detract in the line graph view but I've spent too long on this to just drop it 🙂

My search is designed to grab the eventtypes for authentication success and failure. Because those events also have additional eventtypes associated with them I have used the following to trim back to just the eventtypes I want to count. The math is basiclaly (failure / (failure+success))*100.

...| timechart eval(count(eval(eventtype="authentication_failure")) / (count(eval(eventtype="authentication_failure")) + count(eval(eventtype="authentication_success")))*100) AS rate

I can add a pipe on the end and do an "eval rate=round(rate)" but then you can't drill down into the results. If there is a better way to do this I'm all ears.

Mark

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎10-18-2012 07:35 AM

I don't believe that automatic row drill down is smart enough to handle this case, so if you're running this search from the flashtimeline, you're going to have to choose between a pretty-printed, rounded rate or a working row drill down.

If you want both, you'll have to build a view with a Custom drill down behavior against the SimpleResultsTable module where the results will be displayed.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎10-18-2012 07:35 AM

I don't believe that automatic row drill down is smart enough to handle this case, so if you're running this search from the flashtimeline, you're going to have to choose between a pretty-printed, rounded rate or a working row drill down.

If you want both, you'll have to build a view with a Custom drill down behavior against the SimpleResultsTable module where the results will be displayed.

Reply
Solved! Jump to solution

Runals
Motivator
‎10-18-2012 07:39 AM

Got ya. Thanks for the answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...