Solved: timechart sum

sphiwee · ‎06-21-2021

index="acoe_np_spa_metrics"
| search Project="*" AND Volume="*" 
| timechart span=1mon count(eval(D_Status="F")) as success_count
  count(eval(D_Status="S")) as failure_count count as Total
| eval STP=(success_count/Total)*100 
| fields - Total

Good day, I have the above SPL query it gives me the count of "F"s and "S"s but I need the sum of Volumes where D_Status = F and sum of Volume where D_Status = S

kamlesh_vaghela · ‎06-21-2021

@sphiwee

Can you please try this?

index="acoe_np_spa_metrics" 
| search Project="*" AND Volume="*" 
| timechart span=1mon sum(eval(if(D_Status="F",Volume,0))) as success_count
    count(eval(if(D_Status="S",Volume,0))) as failure_count count as Total 
| eval STP=(success_count/Total)*100 
| fields - Total

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎06-21-2021

@sphiwee

Can you please try this?

index="acoe_np_spa_metrics" 
| search Project="*" AND Volume="*" 
| timechart span=1mon sum(eval(if(D_Status="F",Volume,0))) as success_count
    count(eval(if(D_Status="S",Volume,0))) as failure_count count as Total 
| eval STP=(success_count/Total)*100 
| fields - Total

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

timechart sum

count

eval

fields

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?