ahh I see, thank you! Looks like that did it ... View more

Hello, Is it possible within the above html snippet to add a command that will open the other dashboard in a new window/tab? I would like to keep the original dashboard open at all times and would love it if I can make it so that the other dashboard opens in a new window. thank you! @justinatpnnl ... View more

Can you please explain your reasoning for the untable and first command within the query? It is much appreciated, thank you. ... View more

thank you for your advice ... View more

I appreciate both of your inputs, thank you. I was initially using the custom timewrap extension but am seeing that timechart could be an easier method sometimes. ... View more

Thank you for your response. I realize I wasn't very clear in my question. To clarify, I am using the custom timewrap extension and would like a graph to display on the x-axis the hours against today, yesterday, and the 7-day average. Essentially, I would see three lines going across with a data point at each hour (01, 02, 03, 04...- .. 22, 23). ... View more

It seems that when I try to use the sample query's from the "Timewrap Chart Gallery" in the custom timewrap app, I am not able to translate the SPL correctly to fit my data. I am having the same struggles with trying to plot the percent, hour over hour, for March 8, 2017 for example. base search | | eval _time=strptime(Date_Time, "%D %R") | timechart span=1h count(eval(payment_method="credit_card")) as creditcard, count(payment_method) AS total | eval percent=(creditcard*100/total) | fields _time, percent ... View more

Yes, precisely! I see now. If I wanted to see a week-over-week view for the month of February, would I tweak the above with the following?: base search | where match(Date, "Feb") | eval _time = strptime(Date, "%d-%b-%y") | timechart span=1h count(eval(payment_method="credit_card")) as creditcard, count(payment_method) AS total | eval percent=(creditcard*100/total) | fields _time, percent ... View more

Thank you so much for your response, this result is really wonderful to have. However, it doesn't show week-over-week for only the PaymentMethod=cc. I am trying to see the % of total for PaymentMethod=cc for this week as compared to the last week as compared to 2 weeks ago. Essentially in the x-axis I should have Monday, Tuesday, Wednesday, etc...and the legend will be this week, last week. 2 weeks ago. What this will tell me is that out of all payment methods used (cc, dc, dd, ach), credit cards were used 40% of the time on Wednesday of this week, but 36% of the time on Wednesday of last week, etc... ... View more

Hello, Here is an example of what the data looks like: DATE PaymentMethod 02/01/2017 cc 02/01/2017 cc 02/01/2017 cc 02/01/2017 dc 02/01/2017 dc 02/01/2017 r 02/01/2017 r 02/02/2017 cc 02/02/2017 dc 02/02/2017 ach 02/03/2017 ach 02/03/2017 dp 02/04/2017 dp 02/04/2017 dp I would like to plot only the percent where payment_method=cc was used for week-over-week or day-over-day. The total will be adding up all the columns (maybe using eventstats?). In the example above, essentially total for 02/01/2017=7 and therefore percent_creditcard=3/7=43% for that day. ... View more

This is great, thank you for your feedback. I didn't notice that I was able to state a custom time (earliest and latest) within the alert itself. ... View more

base search | bin span=1d _time | stats sum(total_cards) as Total by _time This did it! I feel like I was missing the concept of "bin". Can you please explain how this command works? I guess I don't really understand the use case? Thank you! ... View more

Actually, if you have some time, could you also please explain this line of command to me? | eval time_marker = if(info_max_time - 3600 <= _time, "Last Hour", "Last Week") What is info_max_time? And why 3600? Many thanks! ... View more

One tiny comment - I noticed when I click on "Last Hour" to view only those results the time stamp says: (12/2/16 9:45:09.000 AM to 12/9/16 9:45:09.949 AM) (I double checked the data for last hour individually and it does seem like something is not being calculated correctly for that time frame.) Should I tweak this line of command somehow? | eval time_marker = if(info_max_time - (24*3600) <= _time, "Last Hour", "Last Week") I'm sorry for the hassle. ... View more

It's totally fine, thank you so much for your help. It works perfect now! If it's not too much trouble to ask - could you explain what the "appendpipe" command is doing here in our case? ... View more

Hi @rjthibod Ideally, I was looking to have three columns where; field1: Error Type field2: Decline Rate (Last Hour) field 3: Decline Rate (Last Week) The query you suggested seems to only calculate "Last Hour" (leaving out Last Week for some reason) where I have 11 fields (columns) with field 1: time_marker field 2: error type #1 field 3: error type #2 field 4: error type #3 ... ... field 11: error type #10 I guess essentially I wanted the "transpose" of your solution. I managed to get what I was looking for by doing the following search: base search earliest=-7d | eval marker = if(event="transaction", 1, 0) | eventstats sum(marker) as TotalTransactions | stats count(eval(success="false")) as Failures max(TotalTransactions) as TotalTransactions by failure_type | eval percent_failure=round(Failures*100/TotalTransactions , 1) | sort -percent_failure | head 10 | streamstats count as WeekRank | append [ base search earliest=-1h | eval marker = if(event="transaction", 1, 0) | eventstats sum(marker) as TotalTransactions | stats count(eval(success="false")) as Failures max(TotalTransactions) as TotalTransactions by failure_type | eval percent_failure_lasthour=round(Failures*100/TotalTransactions , 1) | sort -percent_failure_lasthour | head 10 | streamstats count as HourRank ] | stats first(WeekRank) as WeekRank first(HourRank) as HourRank values(Failures) as Failures values(percent_failure_lasthour) as percent_failure_lasthour values(percent_failure) as percent_failure by failure_type | sort -percent_failure | table failure_type percent_failure_lasthour percent_failure | rename percent_failure as "Decline Rate (Last Week)", failure_type as "Error Type", percent_failure_lasthour as "Decline Rate (Last Hour)" | fillnull value="-" I am still very interested in learning how I can use YOUR query to get the same results. Is there a way to simply transpose the table and have it calculate "Last Week" since it is not displaying currently. I also need to brush up on the documentation since I am not too clear with the command "appendpipe" and "addinfo" thanks so much for your help! ... View more

This is great, thank you! @rjthibod I would actually like to display the information on the same table compared to the last 7 days as well. Is there any way to align the results that belong to the same failure type to be on the same row? For example right now it displays "insufficient funds" on two individual rows where one result is in the failure type last hour column and the other is in the failure type last week column. I believe the command "streamstats" should do the trick, is there an easier way? Also, is there a way to have the query be faster? I am only parsing 7 days and my base search shouldn't have that much to parse either. Any insights would be much appreciated. Below is my query: base search... earliest=-7d | eval marker = if(event="transaction", 1, 0) | eventstats sum(marker) as TotalTransactions | stats count(eval(success="false")) as Failures max(TotalTransactions) as TotalTransactions by failure_type | eval percent_failure=round(Failures*100/TotalTransactions , 1) | sort -percent_failure | head 10 | append [ base search... earliest=-1h | eval marker = if(event="transaction", 1, 0) | eventstats sum(marker) as TotalTransactions | stats count(eval(success="false")) as Failures max(TotalTransactions) as TotalTransactions by failure_type | eval percent_failure_lasthour=round(Failures*100/TotalTransactions , 1) | sort -percent_failure_lasthour | head 10 ] | sort -percent_failure | table failure_type percent_failure_lasthour percent_failure | rename percent_failure as "Decline Rate (Last Week)", failure_type as "Error Type", percent_failure_lasthour as "Decline Rate (Last Hour)" | fillnull value="-" ... View more