Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart expression - No results found.

splunk_zen
Builder
‎03-06-2013 08:54 AM

I'm having trouble computing an aggregate performance indicator.
The following expression (which has the goal to obtain a value up to 100 to feed a radial gauge ) is working,

index=resources_reporting source="*/output/ora_queries/client07/OS_metrics.csv"
| fields USED_CPU HOST_NAME
| eval Platform = case(
HOST_NAME like "%scp%" AND NOT (HOST_NAME like "%dscp%"), "SCPs", 
HOST_NAME like "%dscp%", "DSCPs",
    ...
HOST_NAME like "%mgr%", "MGRs"
)
| eval OptimumCpu = case(
Platform=="SCPs" AND USED_CPU <= 60, 1,
Platform=="DSCPs" AND USED_CPU <= 60, 1,
    ...
Platform=="MGRs" AND USED_CPU <= 60, 1
)
| eval AcceptableCpu = case(
Platform=="SCPs" AND USED_CPU > 60 AND USED_CPU <= 75, 1,
Platform=="DSCPs" AND USED_CPU > 60 AND USED_CPU <= 75, 1,
    ...
Platform=="MGRs" AND USED_CPU > 60 AND USED_CPU <= 75, 1
)
| stats count(USED_CPU) as TotalEvents sum(OptimumCpu) as TotalOptimumCpu sum(AcceptableCpu) as TotalAcceptableCpu by Platform
| fillnull
| eval ScpCpu=if(Platform="SCPs",(TotalOptimumCpu + TotalAcceptableCpu/2) / TotalEvents,0)
| eval DscpCpu=if(Platform="DSCPs",(TotalOptimumCpu + TotalAcceptableCpu/2) / TotalEvents,0)
    ...
| eval MgrCpu=if(Platform="MGRs",(TotalOptimumCpu + TotalAcceptableCpu/2) / TotalEvents,0)
| eval ApdexScore=round(100*(0.17*ScpCpu + 0.17*DscpCpu + ... + 0.04*MgrCpu),2)
    | stats sum(ApdexScore) as TotalApdexScore

which returns something like 99.96,
however I'm missing why I can't get the correponding aggregate time evolution in a line chart, replacing the last line with,

| timechart (ApdexScore) as TotalApdexScore

which returns 

No results found.

What should I change to get a timechart of my ApdexScore expression ?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ant1D
Motivator
‎03-07-2013 02:14 AM

Hi splunk_zen, looking at your query, it seems that you are not bringing the _time field to the point when you need it. Add the _time field to the end of your | stats pipes.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ant1D
Motivator
‎03-07-2013 02:14 AM

Hi splunk_zen, looking at your query, it seems that you are not bringing the _time field to the point when you need it. Add the _time field to the end of your | stats pipes.

Reply
Solved! Jump to solution

MuS
Legend
‎03-08-2013 04:28 AM

just did that, go ahead and accept it 😉

0 Karma
Reply
Solved! Jump to solution

splunk_zen
Builder
‎03-08-2013 04:07 AM

So simple...
Thanks !

I'll accept your comment as an answer if you promote it.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...