Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart ratio by model

sarathipattam
New Member
‎05-09-2018 12:10 PM

Hi,

below is my query

index_ sourcetype=main
| stats count(eval(level="Error")) as ERRORS count(eval(level="Information")) as USAGE by Model osVersion firmware
|eval RATE=round(((EXCEEDED/REQUEST)*100),1)

and I want to time chart the ratio by this three coloums/dimensions Model, osVersion, firmware.

Can someone assist me please?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-09-2018 12:19 PM

I'm assuming there is a typo in the field names in the eval for RATE field (should be ERRORS/USAGE), so using the correct names, try like this (whatever timespan you want to use for time chart, update the same in bin and timechart command, below uses timespan of 1h or 1 hour)

index_ sourcetype=main
| bin span=1h _time
| stats count(eval(level="Error")) as ERRORS count(eval(level="Information")) as USAGE by _time Model osVersion firmware
|eval RATE=round(((ERRORS/USAGE)*100),1)
| eval Model_osVersion_firmware=Model."/".osVersion."/".firmware
| timechart span=1h avg(RATE) by Model_osVersion_firmware

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sarathipattam
New Member
‎05-09-2018 01:27 PM

concatenate is not working for me

0 Karma
Reply
Solved! Jump to solution

sarathipattam
New Member
‎05-09-2018 02:20 PM

i used strcat and it worked.. thank you!!

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-09-2018 12:19 PM

I'm assuming there is a typo in the field names in the eval for RATE field (should be ERRORS/USAGE), so using the correct names, try like this (whatever timespan you want to use for time chart, update the same in bin and timechart command, below uses timespan of 1h or 1 hour)

index_ sourcetype=main
| bin span=1h _time
| stats count(eval(level="Error")) as ERRORS count(eval(level="Information")) as USAGE by _time Model osVersion firmware
|eval RATE=round(((ERRORS/USAGE)*100),1)
| eval Model_osVersion_firmware=Model."/".osVersion."/".firmware
| timechart span=1h avg(RATE) by Model_osVersion_firmware
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...