Splunk Search

Why are we having an appendcols issue?

simon1524
Engager

There is something wrong with the data output by using apendcols. The data of Total_Actual is blank from 02-2022. But actually there has data all of months. May I know what's the reason..?

index=sourceA

PRIORITY="High" OR
PRIORITY="Medium" OR
PRIORITY="Low"
WAS_CRITICAL="yes"
| eval _time=strptime(FIRST_SOLVED_DATE,"%Y-%m-%d %H:%M:%S.%N")
| timechart span=1mon count as Total

| appendcols [search index=sourceA

PRIORITY="Critical"
| eval _time=strptime(FIRST_SOLVED_DATE,"%Y-%m-%d %H:%M:%S.%N")
| timechart span=1mon count as Total_Actual]
| eval Rate_%=round((Total_Actual/Total)*100, 2)
| table _time, Total, Total_Actual, Rate_%
| tail 12
| sort _time

OUTPUT

_time Total Total_Actual Rate_%
2021-07-01T00:00:00.000+0200 76 64 84.21
2021-08-01T00:00:00.000+0200 74 51 68.92
2021-09-01T00:00:00.000+0200 81 45 55.56
2021-10-01T00:00:00.000+0200 75 71 94.67
2021-11-01T00:00:00.000+0200 118 58 49.15
2021-12-01T00:00:00.000+0200 101 105 103.96
2022-01-01T00:00:00.000+0200 81 86 106.17
2022-02-01T00:00:00.000+0200 95    
2022-03-01T00:00:00.000+0200 85    
2022-04-01T00:00:00.000+0200 96    
2022-05-01T00:00:00.000+0200 106    
2022-06-01T00:00:00.000+0200 141    
Labels (1)
Tags (1)
0 Karma
1 Solution

VatsalJagani
Champion

@simon1524 - Try this query instead:

index=sourceA
| eval _time=strptime(FIRST_SOLVED_DATE,"%Y-%m-%d %H:%M:%S.%N")

| timechart span=1mon count(eval((PRIORITY="High" OR PRIORITY="Medium" OR PRIORITY="Low") AND WAS_CRITICAL="yes")) as Total, count(eval(PRIORITY="Critical")) as Total_Actual

| eval Rate_%=round((Total_Actual/Total)*100, 2)
| table _time, Total, Total_Actual, Rate_%
| tail 12
| sort _time

Single timechart command without appendpipe should give you the results.

This query is much more robust and performance effective.

 

I hope this helps!!! Karma/upvote would be appreciated!!!

View solution in original post

VatsalJagani
Champion

@simon1524 - Try this query instead:

index=sourceA
| eval _time=strptime(FIRST_SOLVED_DATE,"%Y-%m-%d %H:%M:%S.%N")

| timechart span=1mon count(eval((PRIORITY="High" OR PRIORITY="Medium" OR PRIORITY="Low") AND WAS_CRITICAL="yes")) as Total, count(eval(PRIORITY="Critical")) as Total_Actual

| eval Rate_%=round((Total_Actual/Total)*100, 2)
| table _time, Total, Total_Actual, Rate_%
| tail 12
| sort _time

Single timechart command without appendpipe should give you the results.

This query is much more robust and performance effective.

 

I hope this helps!!! Karma/upvote would be appreciated!!!

simon1524
Engager

With your query the data shows correctly.

Thank you very much!!

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...