1) The first thing I'm trying to do is calculate the sum of my Total Revenue for all of my data from 2014.
sourcetype=csv "Fiscal Period"="-2014" Stage="Closed Won (100%)" "Account Name"="" | stats sum(Amount) by "Account Name" | stats sum | rename sum(sum(Amount)) as TotalRevenue | table TotalRevenue
**The value that Splunk returns is TotalRevenue: 4831805.82 **
2) Next I run the same search, but I'm looking to find the top ten values per account. I use the appendcols function to do this. For ease of understanding, I've removed it so it can be run as a separate search-
sourcetype=csv "Fiscal Period"="-2014" Stage="Closed Won (100%)" "Account Name"="" | stats sum(Amount) by "Account Name" | sort sum(Amount) by "Account Name" | tail 10 | stats sum(sum(Amount)) | rename sum(sum(Amount)) as TopTenRevenue
*** Splunk returns the result TopTenRevenue:2281605.54 ***
3) Given the two results that I have now, I'm looking to create a pie chart that reflects the TopTenRevenue divided by TotalRevenue.
I think this is where my issue is created.
**I've eliminated the eval function in the previous string as I don't think it's necessary **
After I close my bracket and pipe the previous step, I table TopTenRevenue and TotalRevenue.
Because the results present themselves in two columns, I transpose them to put them in rows so that they can go into a pie graph.
| table TopTenRevenue TotalRevenue | transpose | rename column as Period | rename "row 1" as Amount
4) When I go to graph this, Splunk adds the values for TotalRevenue and TopTenRevenue. The graph reflects that TopTenRevenue(2281605.54)/(7113411.36 or the sum of TopTen and Total)
I need the graph to reflect (2281605.54 or TopTenRevenue)/(4831805.82 orTotalRevenue)
It looks like I'm probably over complicating the search string and could do without one of the steps. Does this make more sense to you? what would the best approach be to achieve my desired result? Thanks for your help.
... View more
