Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using distinct count and eval in timechart (area chart)

Jurala
Explorer
‎08-17-2017 12:12 AM

To begin with, I'm a beginner in world of Splunk. I'm trying to create an area chart where I could track how many users are using the application, how many have completed the application (reached page 6) and how many users are using formManager. In query I've stated that if the user reaches page six, which is the last page of the application, the form is saved to formManager thus adding the user as formManager user. I'm using all three counts successfully as a single value panel in my dashboard but I would like to visualize it in a graph.

dc(user_id) as applicationUsers and count(eval(page_logging=6)) as completedForms works like a charm but dc(eval(page_logging=6)) as formManagerUsers returns only zero or one per hour in my area chart.

I'm using following query as single value to track formManager users:

index=prod sourcetype=application page_logging=6 | stats dc(user_id)

Here's my query for area chart:

index=prod sourcetype=application | timechart span=1h dc(user_id) as applicationUsers, count(eval(page_logging=6)) as completedForms, dc(eval(page_logging=6)) as formManagerUsers
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-17-2017 08:38 AM

The last calculation, and the results on it, make no sense to me.

eval(page_logging=6) has three possible values for any given record {null, true, false}. Null is not a value that dc counts, so for that formula, dc can only give 0, 1 or 2, and I'd expect it to vary between 1 and 2, mostly 2, if the field page_logging is usually present and if people commonly drop out and also people commonly finish. So, I'd go back and check your assumptions based on common sense expectations for the data.

You are really looking, I believe, for dc(user_id) where page_logging=6. I think my preference, as the most straightforward approach, would be preprocessing, but let me see if I can tease this out to code it your way...

It will be something like...

 dc(eval(if(page_logging=6,user_id,null()))) as formManagerUsers

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-17-2017 08:38 AM

The last calculation, and the results on it, make no sense to me.

eval(page_logging=6) has three possible values for any given record {null, true, false}. Null is not a value that dc counts, so for that formula, dc can only give 0, 1 or 2, and I'd expect it to vary between 1 and 2, mostly 2, if the field page_logging is usually present and if people commonly drop out and also people commonly finish. So, I'd go back and check your assumptions based on common sense expectations for the data.

You are really looking, I believe, for dc(user_id) where page_logging=6. I think my preference, as the most straightforward approach, would be preprocessing, but let me see if I can tease this out to code it your way...

It will be something like...

 dc(eval(if(page_logging=6,user_id,null()))) as formManagerUsers
Reply
Solved! Jump to solution

Jurala
Explorer
‎08-21-2017 10:58 PM

Thanks! Works as expected.

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...