Solved: eval function inside chart using a variable

guilhem · ‎10-09-2012

Hello the splunk community,

I'm kinda new to splunk, and I'm trying to perform some charting using the eval function like as follow:

index=index1 action=action1
| chart c as count by action, field1 usenull=f useother=f
| append [search index=index1 action=action2 AND progress >=0.1 |chart eval(dc(e)/count*100) as percentageOfCount by action, field1 usenull=f useother=f]

And the result I want:

action | field1 1st value field1 second value field1 third value

action1 | count for 1st val count for 2nd val count for 3rd val
action2 | percentageOfCount for 1st val percentageOfCount for 2nd val percentageOfCount for 3rd val

(basically I just want to have the percentage according to the count inside the percentageOfCount value, so I can chart it, and not the number of hit)

but i get the error:

Error in 'chart' command: Only the split-by and x-axis fields can be directly referenced in the eval expression.
It seems that the chart doesn't replace the count with it's value, or I am missing something?

If anyone has a workaround, or an explanation of what is happening here it would be very helpfull.

Thanks!

guilhem · ‎11-22-2012

After going back to it, I cannot reproduce the error... So problem solved I guess.

View solution in original post

guilhem · ‎11-22-2012

After going back to it, I cannot reproduce the error... So problem solved I guess.

eval function inside chart using a variable

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?