Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timecharting a Ratio
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timecharting a Ratio
All,
So I have this search, whick works fine. It shows me the unique users in apache vs errors vs checkouts. Perfect.
eventtype=myeventtype | timechart dc(clientip) as guests
| appendcols [search index=apache_access_logs eventtype=myeventtype status=4* OR status=5*| stats count as error| timechart error]
| appendcols [search eventtype=myeventtype host=s*byx* uri_path="/checkout/CheckoutSuccess/" status=200 | timechart count as checkouts]
But I want a ratio on there too. Not sure how to do that, I figured this line would do it.
appendcols [ eval ratio=guests/checkouts | timechart ratio]
eventtype=myeventtype | timechart dc(clientip) as guests
| appendcols [search index=apache_access_logs eventtype=myeventtype status=4* OR status=5*| stats count as error| timechart error]
| appendcols [search eventtype=myeventtype host=s*byx* uri_path="/checkout/CheckoutSuccess/" status=200 | timechart count as checkouts]
| appendcols [ eval ratio=guests/checkouts | timechart ratio]
But it just errors out. How would I go about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
your first approach of appendcols will result in a table with 4 columns: time, guests, error, checkouts.
After that you don't need more appendcols for calculation, you can just add your eval column to create a 5th column.
Be aware that there is a default time limit of 30 seconds for subsearches in appendcols, you may want to extend this for example to 600 seconds by | appendcols maxtime=600 . If no maxtime is set, the appendcols searches will by stopped silently in the background, which is not visible when this search is fired from a dashboard chart.
eventtype=myeventtype
| timechart dc(clientip) as guests
| appendcols [search index=apache_access_logs eventtype=myeventtype status=4 OR status=5| stats count as error| timechart error]
| appendcols [search eventtype=myeventtype host=sbyx uri_path="/checkout/CheckoutSuccess/" status=200 | timechart count as checkouts]
| eval ratio=guests/checkouts
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
