I'm still a noob to writing splunk searches so please bear with me. 🙂
I have a search that's currently generating 3 columns - but I really just want the last bit (which is the post calculation percentage). I believe I'm going about this completely wrong, as I think I should be doing calculation first, then the timechart at the end.
I was hoping someone could take a look at my existing search statement(s) and help fix it.
search:
index="http_index" cs_uri="http://foo.bar"
| timechart span=1h count(eval(s_cachestatus="CACHE_MISS" OR s_cachestatus="CACHE_REVALIDATED_MISS")) AS cache_miss, count(eval(s_cachestatus="CACHE_HIT" OR s_cachestatus="CACHE_REVALIDATED_HIT" OR s_cachestatus="CACHE_MEM_HIT" OR s_cachestatus="CACHE_REVALIDATED_MEM_HIT")) as cache_hit
| eval cache_hit_ratio=(100*cache_hit/(cache_hit+cache_miss))
So, this plots down the 3 numbers: cache_hit, cache_miss, and the calculated ratio percentage between the two. All I want to chart in the timechart is the ratio%. Help? 🙂
... View more