Re: Dashboard timechart query problem

rbochen · ‎11-10-2017

How do I present ONLY "allErrorsPerMile" on a timechart? Now it looks like on the attachment

 "exception1" OR "exception2" OR "exception3" OR "call"
        | eval calls = if(like(message, "%call%"), 1, 0)
        | eval errors1 = if(like(message, "%exception1%"), 1, 0)
        | eval errors2 = if(like(message, "%exception2%"), 1, 0)
        | eval errors3 = if(like(message, "%exception3%"), 1, 0)
        | timechart sum(errors1) AS errors1 sum(errors2) AS errors2 sum(errors3) AS errors3 sum(calls) AS calls 
        | eval allErrorsPerMile=if(calls>0, ((errors1 + errors2 + errors3)*1000)/calls, calls = 1)

kamlesh_vaghela · ‎11-10-2017

Hi

Can you please try this one?

 "exception1" OR "exception2" OR "exception3" OR "call"
         | eval calls = if(like(message, "%call%"), 1, 0)
         | eval errors1 = if(like(message, "%exception1%"), 1, 0)
         | eval errors2 = if(like(message, "%exception2%"), 1, 0)
         | eval errors3 = if(like(message, "%exception3%"), 1, 0)
         | timechart sum(errors1) AS errors1 sum(errors2) AS errors2 sum(errors3) AS errors3 sum(calls) AS calls 
         | eval allErrorsPerMile=if(calls>0, ((errors1 + errors2 + errors3)*1000)/calls, calls = 1)
| fields _time  allErrorsPerMile

I have just added "| fields _time allErrorsPerMile".

Thanks

rbochen · ‎11-10-2017

did it with charting.data.fieldHideList

Dashboard timechart query problem

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

Are you a member of the Splunk Community?

Dashboard timechart query problem

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University