Splunk Search

eval function inside chart using a variable

guilhem
Contributor

Hello the splunk community,

I'm kinda new to splunk, and I'm trying to perform some charting using the eval function like as follow:

index=index1 action=action1
| chart c as count by action, field1 usenull=f useother=f
| append [search index=index1 action=action2 AND progress >=0.1 |chart eval(dc(e)/count*100) as percentageOfCount by action, field1 usenull=f useother=f]

And the result I want:

action | field1 1st value field1 second value field1 third value


action1 | count for 1st val count for 2nd val count for 3rd val
action2 | percentageOfCount for 1st val percentageOfCount for 2nd val percentageOfCount for 3rd val

(basically I just want to have the percentage according to the count inside the percentageOfCount value, so I can chart it, and not the number of hit)

but i get the error:

Error in 'chart' command: Only the split-by and x-axis fields can be directly referenced in the eval expression.
It seems that the chart doesn't replace the count with it's value, or I am missing something?

If anyone has a workaround, or an explanation of what is happening here it would be very helpfull.

Thanks!

Tags (3)
0 Karma
1 Solution

guilhem
Contributor

After going back to it, I cannot reproduce the error... So problem solved I guess.

View solution in original post

0 Karma

guilhem
Contributor

After going back to it, I cannot reproduce the error... So problem solved I guess.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...