Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

eval function inside chart using a variable

guilhem
Contributor
‎10-09-2012 09:24 AM

Hello the splunk community,

I'm kinda new to splunk, and I'm trying to perform some charting using the eval function like as follow:

index=index1 action=action1
| chart c as count by action, field1 usenull=f useother=f
| append [search index=index1 action=action2 AND progress >=0.1 |chart eval(dc(e)/count*100) as percentageOfCount by action, field1 usenull=f useother=f]

And the result I want:

action | field1 1st value field1 second value field1 third value

action1 | count for 1st val count for 2nd val count for 3rd val
action2 | percentageOfCount for 1st val percentageOfCount for 2nd val percentageOfCount for 3rd val

(basically I just want to have the percentage according to the count inside the percentageOfCount value, so I can chart it, and not the number of hit)

but i get the error:

Error in 'chart' command: Only the split-by and x-axis fields can be directly referenced in the eval expression.
It seems that the chart doesn't replace the count with it's value, or I am missing something?

If anyone has a workaround, or an explanation of what is happening here it would be very helpfull.

Thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

guilhem
Contributor
‎11-22-2012 06:50 AM

After going back to it, I cannot reproduce the error... So problem solved I guess.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

guilhem
Contributor
‎11-22-2012 06:50 AM

After going back to it, I cannot reproduce the error... So problem solved I guess.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...