Solved: timechart sum

sphiwee · ‎06-21-2021

index="acoe_np_spa_metrics"
| search Project="*" AND Volume="*" 
| timechart span=1mon count(eval(D_Status="F")) as success_count
  count(eval(D_Status="S")) as failure_count count as Total
| eval STP=(success_count/Total)*100 
| fields - Total

Good day, I have the above SPL query it gives me the count of "F"s and "S"s but I need the sum of Volumes where D_Status = F and sum of Volume where D_Status = S

kamlesh_vaghela · ‎06-21-2021

@sphiwee

Can you please try this?

index="acoe_np_spa_metrics" 
| search Project="*" AND Volume="*" 
| timechart span=1mon sum(eval(if(D_Status="F",Volume,0))) as success_count
    count(eval(if(D_Status="S",Volume,0))) as failure_count count as Total 
| eval STP=(success_count/Total)*100 
| fields - Total

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎06-21-2021

@sphiwee

Can you please try this?

index="acoe_np_spa_metrics" 
| search Project="*" AND Volume="*" 
| timechart span=1mon sum(eval(if(D_Status="F",Volume,0))) as success_count
    count(eval(if(D_Status="S",Volume,0))) as failure_count count as Total 
| eval STP=(success_count/Total)*100 
| fields - Total

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

timechart sum

count

eval

fields

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>