Splunk Search

Timechart Table Question

jhayIV
Engager

Is there a way to add a column to the table below that divides each value by the IS&O to value to get a column that shows compliance?

Example for Tuesday I would like to have a column that divides System Role by IS&O Servers 10046/11683, 86%

Also is there a way to remove the _span entries at the bottom?
alt text

Tags (2)
0 Karma
1 Solution

cmerriman
Super Champion

as long as you're only looking at a 7 day time window, try this:

| timechart span=1d dc(Name) as "IS&O Servers" , Count(SystemRole) as "System Role", count(IsVirtual) as "Virtual Flag", count(OS) as "OS Relationships",count(Site) as "Location",count(Serial_Number) as "Serial Number",count(Domain) as "Domain",count(NumberOfProcessors) as "Processors",count(Total_Physical_Memory) as "Memory"| eval _time=strftime(_time, "%A")|fields - _span*|foreach * [eval <<MATCHSTR>>_perc='<<FIELD>>'/'IS&O Servers']|fields - "IS&O Servers_perc"| transpose header_field=_time

View solution in original post

0 Karma

cmerriman
Super Champion

as long as you're only looking at a 7 day time window, try this:

| timechart span=1d dc(Name) as "IS&O Servers" , Count(SystemRole) as "System Role", count(IsVirtual) as "Virtual Flag", count(OS) as "OS Relationships",count(Site) as "Location",count(Serial_Number) as "Serial Number",count(Domain) as "Domain",count(NumberOfProcessors) as "Processors",count(Total_Physical_Memory) as "Memory"| eval _time=strftime(_time, "%A")|fields - _span*|foreach * [eval <<MATCHSTR>>_perc='<<FIELD>>'/'IS&O Servers']|fields - "IS&O Servers_perc"| transpose header_field=_time
0 Karma

jhayIV
Engager

That is perfect, is there a way to do it as a column for each date? This appended the perc's to the bottom of the table.

0 Karma

cmerriman
Super Champion

This took a bit of thought but I think it should work.

| timechart span=1d dc(Name) as "IS&O Servers" , Count(SystemRole) as "System Role", count(IsVirtual) as "Virtual Flag", count(OS) as "OS Relationships",count(Site) as "Location",count(Serial_Number) as "Serial Number",count(Domain) as "Domain",count(NumberOfProcessors) as "Processors",count(Total_Physical_Memory) as "Memory"| eval _time=strftime(_time, "%A")|fields - _span*|foreach * [eval <<MATCHSTR>>_perc='<<FIELD>>'/'IS&O Servers']|fields - "IS&O Servers_perc"|appendpipe [stats values(*_perc) as * by _time]|eval _time=if(isnull('IS&O Servers'),_time+"_perc",_time)|fields - *_perc| transpose 14 header_field=_time
0 Karma

jhayIV
Engager

Impressive, thanks man!

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@jhayIV - If cmerriman helped to answer your question, please accept her answer and up-vote any helpful comments from her. Thanks!

0 Karma

jhayIV
Engager

It didnt allow me to post an image here is the code I was using

| timechart span=1d dc(Name) as "IS&O Servers" , Count(SystemRole) as "System Role", count(IsVirtual) as "Virtual Flag", count(OS) as "OS Relationships",count(Site) as "Location",count(Serial_Number) as "Serial Number",count(Domain) as "Domain",count(NumberOfProcessors) as "Processors",count(Total_Physical_Memory) as "Memory"| eval _time=strftime(_time, "%A")| transpose

0 Karma

cmerriman
Super Champion

are you doing just a 7 day span for your search? I'm just thinking if you do 2 weeks, it isn't going to combine your Thursdays together in the transpose.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...