Solved: timechart sum

sphiwee · ‎06-21-2021

index="acoe_np_spa_metrics"
| search Project="*" AND Volume="*" 
| timechart span=1mon count(eval(D_Status="F")) as success_count
  count(eval(D_Status="S")) as failure_count count as Total
| eval STP=(success_count/Total)*100 
| fields - Total

Good day, I have the above SPL query it gives me the count of "F"s and "S"s but I need the sum of Volumes where D_Status = F and sum of Volume where D_Status = S

kamlesh_vaghela · ‎06-21-2021

@sphiwee

Can you please try this?

index="acoe_np_spa_metrics" 
| search Project="*" AND Volume="*" 
| timechart span=1mon sum(eval(if(D_Status="F",Volume,0))) as success_count
    count(eval(if(D_Status="S",Volume,0))) as failure_count count as Total 
| eval STP=(success_count/Total)*100 
| fields - Total

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎06-21-2021

@sphiwee

Can you please try this?

index="acoe_np_spa_metrics" 
| search Project="*" AND Volume="*" 
| timechart span=1mon sum(eval(if(D_Status="F",Volume,0))) as success_count
    count(eval(if(D_Status="S",Volume,0))) as failure_count count as Total 
| eval STP=(success_count/Total)*100 
| fields - Total

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

timechart sum

count

eval

fields

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024