Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Rounding numbers in a timechart

Runals
Motivator
‎10-18-2012 07:28 AM

I am trying to show on a line graph the percentage of failed login attempts in an authentication stream of events. Everything works but i just assume round the results when in the table view. I've tried inserting round() in a couple places but splunk yells at me for not having _time, not having any fields, or other reasons based on where I try to insert the function. The reality is having the decimal places doesn't detract in the line graph view but I've spent too long on this to just drop it 🙂

My search is designed to grab the eventtypes for authentication success and failure. Because those events also have additional eventtypes associated with them I have used the following to trim back to just the eventtypes I want to count. The math is basiclaly (failure / (failure+success))*100.

...| timechart eval(count(eval(eventtype="authentication_failure")) / (count(eval(eventtype="authentication_failure")) + count(eval(eventtype="authentication_success")))*100) AS rate

I can add a pipe on the end and do an "eval rate=round(rate)" but then you can't drill down into the results. If there is a better way to do this I'm all ears.

Mark

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎10-18-2012 07:35 AM

I don't believe that automatic row drill down is smart enough to handle this case, so if you're running this search from the flashtimeline, you're going to have to choose between a pretty-printed, rounded rate or a working row drill down.

If you want both, you'll have to build a view with a Custom drill down behavior against the SimpleResultsTable module where the results will be displayed.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎10-18-2012 07:35 AM

I don't believe that automatic row drill down is smart enough to handle this case, so if you're running this search from the flashtimeline, you're going to have to choose between a pretty-printed, rounded rate or a working row drill down.

If you want both, you'll have to build a view with a Custom drill down behavior against the SimpleResultsTable module where the results will be displayed.

Reply
Solved! Jump to solution

Runals
Motivator
‎10-18-2012 07:39 AM

Got ya. Thanks for the answer.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...