Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help for displaying 2 results in a single panel
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
I use the search below in order to display the result (count) in a single value panel
In the same single value, I would like to have the volume of events in addition to the count
for example, if the count result is 5, I would like to have the volume of online machines
it means that I have to count the number of machines in [| inputlookup host.csv
| table host] and to divise this result by the result of the count
So if the machines count of inputlookup host.csv is 40, I have to divise 5 by 40 in order to know the volume of machines in %
Could you help me please
[| inputlookup host.csv
| table host] index="toto" sourcetype="winhostmon" Type=Service Name=SplunkForwarder
| eval timenow =now()
| eval EventCreatedTime=_time
| eval DiffInSeconds = (timenow - EventCreatedTime)
| eval Status=if(DiffInSeconds<900, "Online", "Offline")
| convert timeformat="%d-%b-%Y %H:%M:%S %p %Z" ctime(EventCreatedTime)
| table host EventCreatedTime DiffInMinutes Status
| sort +EventCreatedTime
| dedup host
| eval Code = if(like(Status,"Online"), "Online", "Offline")
| stats dc(host) AS OnlineCount by Code
| fields OnlineCount
| appendpipe
[ stats count
| where count=0]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So in your search you do the calcuation of volume% and count somehow
But if you want to display in single Panel, the trick is to concatenate it into a single string. Sample below
|makeresults
| eval volume="25%"
| eval count=10
| eval display_value="volume:"+volume+" count:"+count
| table display_value
You may need to use (field) instead of table may be in the last line in dashboards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So in your search you do the calcuation of volume% and count somehow
But if you want to display in single Panel, the trick is to concatenate it into a single string. Sample below
|makeresults
| eval volume="25%"
| eval count=10
| eval display_value="volume:"+volume+" count:"+count
| table display_value
You may need to use (field) instead of table may be in the last line in dashboards.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
