Splunk Search

## Timechart with multiple fields and calculating percentage Explorer

My query is something like

.. | eval color_and_shape = color + "/" + shape
| timechart count as total, count(eval(heavy="true")) as heavy by color_and_shape

which returns a table similar to

_time heavy:green/triangle heavy:green/circle total:green/triangle total:green/circle

11/20/12 1 2 5 6

How would I go about calculating the percentage of shapes that a heavy by color_and_shape?

I tried doing ...| eval pct=sc/total
but this does not work.

Tags (5)
1 Solution Influencer

The problem is that after you've run the results through timechart, you no longer know all the combinations of column headers you'll need to calculate the percentage.

A better way of approaching this would be to work out the percentages before running timechart like this :

``````... | eval color_and_shape = color + "/" + shape
| bin _time span=1d
| stats count as total, count(eval(heavy="true")) as heavy by color_and_shape _time
| eval perc_heavy=100*heavy/total
``````

Then you can do the timechart

``````... | timechart span=1d first(total) as total first(heavy) as heavy first(perc_heavy) as perc_heavy by color_and_shape
`````` Influencer

The problem is that after you've run the results through timechart, you no longer know all the combinations of column headers you'll need to calculate the percentage.

A better way of approaching this would be to work out the percentages before running timechart like this :

``````... | eval color_and_shape = color + "/" + shape
| bin _time span=1d
| stats count as total, count(eval(heavy="true")) as heavy by color_and_shape _time
| eval perc_heavy=100*heavy/total
``````

Then you can do the timechart

``````... | timechart span=1d first(total) as total first(heavy) as heavy first(perc_heavy) as perc_heavy by color_and_shape
`````` .conf21 Now Fully Virtual!