Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rounding numbers in a timechart

Runals
Motivator
‎10-18-2012 07:28 AM

I am trying to show on a line graph the percentage of failed login attempts in an authentication stream of events. Everything works but i just assume round the results when in the table view. I've tried inserting round() in a couple places but splunk yells at me for not having _time, not having any fields, or other reasons based on where I try to insert the function. The reality is having the decimal places doesn't detract in the line graph view but I've spent too long on this to just drop it 🙂

My search is designed to grab the eventtypes for authentication success and failure. Because those events also have additional eventtypes associated with them I have used the following to trim back to just the eventtypes I want to count. The math is basiclaly (failure / (failure+success))*100.

...| timechart eval(count(eval(eventtype="authentication_failure")) / (count(eval(eventtype="authentication_failure")) + count(eval(eventtype="authentication_success")))*100) AS rate

I can add a pipe on the end and do an "eval rate=round(rate)" but then you can't drill down into the results. If there is a better way to do this I'm all ears.

Mark

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎10-18-2012 07:35 AM

I don't believe that automatic row drill down is smart enough to handle this case, so if you're running this search from the flashtimeline, you're going to have to choose between a pretty-printed, rounded rate or a working row drill down.

If you want both, you'll have to build a view with a Custom drill down behavior against the SimpleResultsTable module where the results will be displayed.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎10-18-2012 07:35 AM

I don't believe that automatic row drill down is smart enough to handle this case, so if you're running this search from the flashtimeline, you're going to have to choose between a pretty-printed, rounded rate or a working row drill down.

If you want both, you'll have to build a view with a Custom drill down behavior against the SimpleResultsTable module where the results will be displayed.

Reply
Solved! Jump to solution

Runals
Motivator
‎10-18-2012 07:39 AM

Got ya. Thanks for the answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...