Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

eval function inside chart using a variable

guilhem
Contributor
‎10-09-2012 09:24 AM

Hello the splunk community,

I'm kinda new to splunk, and I'm trying to perform some charting using the eval function like as follow:

index=index1 action=action1
| chart c as count by action, field1 usenull=f useother=f
| append [search index=index1 action=action2 AND progress >=0.1 |chart eval(dc(e)/count*100) as percentageOfCount by action, field1 usenull=f useother=f]

And the result I want:

action | field1 1st value field1 second value field1 third value

action1 | count for 1st val count for 2nd val count for 3rd val
action2 | percentageOfCount for 1st val percentageOfCount for 2nd val percentageOfCount for 3rd val

(basically I just want to have the percentage according to the count inside the percentageOfCount value, so I can chart it, and not the number of hit)

but i get the error:

Error in 'chart' command: Only the split-by and x-axis fields can be directly referenced in the eval expression.
It seems that the chart doesn't replace the count with it's value, or I am missing something?

If anyone has a workaround, or an explanation of what is happening here it would be very helpfull.

Thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

guilhem
Contributor
‎11-22-2012 06:50 AM

After going back to it, I cannot reproduce the error... So problem solved I guess.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

guilhem
Contributor
‎11-22-2012 06:50 AM

After going back to it, I cannot reproduce the error... So problem solved I guess.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...