Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart calculated grouped value

ppediaditis
New Member
‎07-07-2011 01:48 AM

I have a query in the form

eventtype="search" | stats count as search_count by host | appendcols [search application=flights eventtype="pay_success" | stats count as buy_count by host] | eval conversion=(buy_count/search_count)*100

which works fine and gives me conversions per host,
however, if I want to chart this over time replacing stats with timechart , it doesn't work the way I expect it to.

Is there any way to timechart a calculated value grouped by another value?

Thanks!

Tags (3)
0 Karma
Reply

BobM
Builder
‎07-07-2011 03:22 AM

I think you could do this by using the bucket function and stats

eventtype="search" | bucket _time span=1h | stats count as search_count by host _time | appendcols [search application=flights eventtype="pay_success" | bucket _time span=1h | stats count as buy_count by host _time ] | eval conversion=(buy_count/search_count)*100 | timechart first(conversion) by host

The bucket command groups data into hour blocks (you can change that to any period you wish) and then the stats now also groups by host and _time so it should now be possible to timechart.

Reply

BobM
Builder
‎01-05-2012 03:38 PM

Timechart has to use a function and the result has to be numerical but the function could be for example "values(field)".

In the above, conversion was a field name and not a function and I knew it only had one value so I used first as the function.

0 Karma
Reply

ppediaditis
New Member
‎07-07-2011 03:42 AM

Nice! However, it doesn't allow me to use timechart with something other than a function (in this case conversion), is there some other syntax I should use?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...