Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create two searches combined into one chart, or timechart with calculated percent of total (rate) by fields?

rvazquez8113
New Member
‎02-05-2018 10:37 AM

I have transactions logged across different sales "channels" (catering, mobileApp, faceToFace, etc.). I am trying to display the transaction Decision counts along with the percentOfTotal (Rate) of each Decision type.

first search:
host=server* "Catering" txnType=order | timechart span=1d dc(txnId) as "totalTxns" << this base search is a discrete total of all transactions in all use cases in the catering channel.

second search:
host=server* "Catering" txnType=order issuerResponse="authorized" NOT ("avsMismatch" OR "cvvMismatch") | timechart span=1d dc(txnId) by Decision | rename APPROVE as "Accept", REJECT as "Decline", ERROR as "Error" << this base search is one use case in the catering channel that is a subset of the first search.

calculation:
| eval percentOfTotal=(round((Decision/totalTxns)*100)."%") << I'm intending for this to be percentOfTotal displayed in a chart for each of the three Decision types (Accept, Decline, Error) found in the second search over a span=1d. However, in attempting to chart this doesn't seem like a way to accomplish what I am trying to do.

Ideally the data could be presented similar to the following:

-totalTxns being greater than the sum of all Decisions is expected as this is only one specific use case within this channel.

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-05-2018 12:33 PM

Try this; it may not be the most efficient search, but it should work

host=server* "Catering" txnType=order | timechart span=1d dc(txnId) as "totalTxns"
| append [ search host=server* "Catering" txnType=order issuerResponse="authorized" 
           NOT ("avsMismatch" OR "cvvMismatch") 
     | timechart span=1d dc(txnId) by Decision 
     | rename APPROVE as "Accept", REJECT as "Decline", ERROR as "Error" ]
| stats first(*) as * by _time
| foreach Accept Decline Error [ eval <<FIELD>>_percentOfTotal=(round((<<FIELD>>/totalTxns)*100)."%") ]
| rename _time as Date, Accept_percentOfTotal as "Accept %", Decline_percentOfTotal as "Decline %",
      Error_percentOfTotal as "Error %", totalTxns as "Total Txn"
| table Date "Total Txn" Accept "Accept %"  Decline "Decline %" Error  "Error %"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-05-2018 12:33 PM

Try this; it may not be the most efficient search, but it should work

host=server* "Catering" txnType=order | timechart span=1d dc(txnId) as "totalTxns"
| append [ search host=server* "Catering" txnType=order issuerResponse="authorized" 
           NOT ("avsMismatch" OR "cvvMismatch") 
     | timechart span=1d dc(txnId) by Decision 
     | rename APPROVE as "Accept", REJECT as "Decline", ERROR as "Error" ]
| stats first(*) as * by _time
| foreach Accept Decline Error [ eval <<FIELD>>_percentOfTotal=(round((<<FIELD>>/totalTxns)*100)."%") ]
| rename _time as Date, Accept_percentOfTotal as "Accept %", Decline_percentOfTotal as "Decline %",
      Error_percentOfTotal as "Error %", totalTxns as "Total Txn"
| table Date "Total Txn" Accept "Accept %"  Decline "Decline %" Error  "Error %"
0 Karma
Reply
Solved! Jump to solution

rvazquez8113
New Member
‎02-06-2018 03:49 PM

Thank you Iguinn! absolutely brilliant!

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...