Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eval function inside chart using a variable

guilhem
Contributor
‎10-09-2012 09:24 AM

Hello the splunk community,

I'm kinda new to splunk, and I'm trying to perform some charting using the eval function like as follow:

index=index1 action=action1
| chart c as count by action, field1 usenull=f useother=f
| append [search index=index1 action=action2 AND progress >=0.1 |chart eval(dc(e)/count*100) as percentageOfCount by action, field1 usenull=f useother=f]

And the result I want:

action | field1 1st value field1 second value field1 third value

action1 | count for 1st val count for 2nd val count for 3rd val
action2 | percentageOfCount for 1st val percentageOfCount for 2nd val percentageOfCount for 3rd val

(basically I just want to have the percentage according to the count inside the percentageOfCount value, so I can chart it, and not the number of hit)

but i get the error:

Error in 'chart' command: Only the split-by and x-axis fields can be directly referenced in the eval expression.
It seems that the chart doesn't replace the count with it's value, or I am missing something?

If anyone has a workaround, or an explanation of what is happening here it would be very helpfull.

Thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

guilhem
Contributor
‎11-22-2012 06:50 AM

After going back to it, I cannot reproduce the error... So problem solved I guess.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

guilhem
Contributor
‎11-22-2012 06:50 AM

After going back to it, I cannot reproduce the error... So problem solved I guess.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...