Solved: Timechart Cell value replace numeric value by cond...

rishiaggarwal · ‎01-17-2016

Hi All, i am newbie to Splunk and need an assistance in writing a splunk dashboard where i wish to replace the average transaction duration value with a range string. For eg. if the Transaction duration is between 0-6 sec, rather then displaying an actual average duration (number) it should display a text "Green".

Condition : 0-6 Green , 7-20 Amber, >20 Red

Draft Query is given below.

index=XXX_XXX  sourcetype=XXX_YYY source=YXYX_YCYC 
Search String 
| transaction correlationId keepevicted=true 
| timechart span=5m avg(duration) as response_health by activityName
| convert ctime(_time) as _time timeformat="%H:%M %p"  
| fillnull

renjith_nair · ‎01-17-2016

Try this

<your search>|untable _time activityName response_health|eval color=case(response_health==0 AND response_health<7,"Green",response_health> 6 AND response_health<21,"Amber" ,1=1,"Red")|xyseries _time activityName color

Instead of 1=1, you can provide response_heath>20 and give another default value in case the other three conditions are not matched.

Happy Splunking!

View solution in original post

renjith_nair · ‎01-17-2016

Try this

<your search>|untable _time activityName response_health|eval color=case(response_health==0 AND response_health<7,"Green",response_health> 6 AND response_health<21,"Amber" ,1=1,"Red")|xyseries _time activityName color

Instead of 1=1, you can provide response_heath>20 and give another default value in case the other three conditions are not matched.

Happy Splunking!

rishiaggarwal · ‎01-17-2016

Thanks a heap. This solution worked for me.

Timechart Cell value replace numeric value by conditional string

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!