Solved: timechart sum

sphiwee · ‎06-21-2021

index="acoe_np_spa_metrics"
| search Project="*" AND Volume="*" 
| timechart span=1mon count(eval(D_Status="F")) as success_count
  count(eval(D_Status="S")) as failure_count count as Total
| eval STP=(success_count/Total)*100 
| fields - Total

Good day, I have the above SPL query it gives me the count of "F"s and "S"s but I need the sum of Volumes where D_Status = F and sum of Volume where D_Status = S

kamlesh_vaghela · ‎06-21-2021

@sphiwee

Can you please try this?

index="acoe_np_spa_metrics" 
| search Project="*" AND Volume="*" 
| timechart span=1mon sum(eval(if(D_Status="F",Volume,0))) as success_count
    count(eval(if(D_Status="S",Volume,0))) as failure_count count as Total 
| eval STP=(success_count/Total)*100 
| fields - Total

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎06-21-2021

@sphiwee

Can you please try this?

index="acoe_np_spa_metrics" 
| search Project="*" AND Volume="*" 
| timechart span=1mon sum(eval(if(D_Status="F",Volume,0))) as success_count
    count(eval(if(D_Status="S",Volume,0))) as failure_count count as Total 
| eval STP=(success_count/Total)*100 
| fields - Total

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

timechart sum

count

eval

fields

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?