Re: eval and timechart

sphiwee · ‎06-20-2021

How can I get STP as a bar chart ? im getting error when i try to do it like this

i want to display STP for each month

sphiwee · ‎06-20-2021

here's the spl query

index="acoe_np_spa_metrics"| search Project="*" AND Volume="*" |bin _time span=1month | stats
count(eval(D_Status="F")) as success_count
count(eval(D_Status="S")) as failure_count | eval TOTAL_COUNT=(success_count + failure_count) | eval STP=(success_count/TOTAL_COUNT)*100 | timechart STP

bowesmana · ‎06-20-2021

There's no need to use stats/bin, you can do it all with timechart and post calculations.

index="acoe_np_spa_metrics"
| search Project="*" AND Volume="*" 
| timechart span=1mon count(eval(D_Status="F")) as success_count
  count(eval(D_Status="S")) as failure_count count as Total
| eval STP=(success_count/Total)*100 
| fields - Total

So generate the timechart and include the Total count per month also, then just calculate the success percentage at the end and then remove the Total field if you don't want it.

Note that this assumes Total will be the same as success+failure - if not, then calculate Total afterwards instead.

sphiwee · ‎06-21-2021

Thanks it works, but seems I actually had to get the sum of the volume where D_status = F and sum of volume where D_Status = S...

How can I achieve this?

bowesmana · ‎06-21-2021

If you want to get the total success/failure counts not split by month then just add an eventstats at the end

| eventstats sum(success_count) as total_success_count sum(failure_count) as total_failure_count

is that what you are after?

eval and timechart

chart

timechart

Upcoming Community Maintenance: 10/28

Best Practices for Metrics Pipeline Management

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...