Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using calculated values to create timechart -- too many columns

EricLloyd79
Builder
‎05-30-2014 10:17 AM

Hello, I know this type of question has been asked several times: ex:

http://answers.splunk.com/answers/11020/display-calculated-values-in-a-timechart

But I have tried that example and am getting column bars for my total when I just want column bars for my calculated values. Im basically trying to create a chart that return the percentages of a total value but I dont want the values I used (count, total) to be included on the timechart. Here is my query:

XXXXXX NOT(resultType=XXXX) activity=foo OR activity=bar
| timechart span=1h count by activity
| eval total = foo + bar
| eval percAddTrials = round(foo*100/total,1)
| eval percAddSub = round(bar*100/total,1)

I've been working on this for a few days. I started initially trying to use appendcols and that seemed to work somewhat as well:

XXXXX NOT(resultType=XXX) activity=foo
| timechart span=1h count as foo_total
| appendcols
   [search XXXXX NOT(resultType=XXX) activity=bar 
      | timechart span=1h count as bar_total]
| eval total = foo_total + bar_total 
| eval percFoo = round(foo_total*100/total,1)
| eval percBar = round(bar_total*100/total,1)

But this gave me the same issue of displaying the column bars of total and the counts. Any suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-30-2014 03:25 PM

All you should need to do, is to add a final line to your search, eliminating the fields you don't want:

XXXXXX NOT(resultType=XXXX) activity=foo OR activity=bar
| timechart span=1h count by activity
| eval total = foo + bar
| eval percAddTrials = round(foo*100/total,1)
| eval percAddSub = round(bar*100/total,1)
| fields - total

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-30-2014 03:25 PM

All you should need to do, is to add a final line to your search, eliminating the fields you don't want:

XXXXXX NOT(resultType=XXXX) activity=foo OR activity=bar
| timechart span=1h count by activity
| eval total = foo + bar
| eval percAddTrials = round(foo*100/total,1)
| eval percAddSub = round(bar*100/total,1)
| fields - total
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...