Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using calculated values to create timechart -- too many columns

EricLloyd79
Builder
‎05-30-2014 10:17 AM

Hello, I know this type of question has been asked several times: ex:

http://answers.splunk.com/answers/11020/display-calculated-values-in-a-timechart

But I have tried that example and am getting column bars for my total when I just want column bars for my calculated values. Im basically trying to create a chart that return the percentages of a total value but I dont want the values I used (count, total) to be included on the timechart. Here is my query:

XXXXXX NOT(resultType=XXXX) activity=foo OR activity=bar
| timechart span=1h count by activity
| eval total = foo + bar
| eval percAddTrials = round(foo*100/total,1)
| eval percAddSub = round(bar*100/total,1)

I've been working on this for a few days. I started initially trying to use appendcols and that seemed to work somewhat as well:

XXXXX NOT(resultType=XXX) activity=foo
| timechart span=1h count as foo_total
| appendcols
   [search XXXXX NOT(resultType=XXX) activity=bar 
      | timechart span=1h count as bar_total]
| eval total = foo_total + bar_total 
| eval percFoo = round(foo_total*100/total,1)
| eval percBar = round(bar_total*100/total,1)

But this gave me the same issue of displaying the column bars of total and the counts. Any suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-30-2014 03:25 PM

All you should need to do, is to add a final line to your search, eliminating the fields you don't want:

XXXXXX NOT(resultType=XXXX) activity=foo OR activity=bar
| timechart span=1h count by activity
| eval total = foo + bar
| eval percAddTrials = round(foo*100/total,1)
| eval percAddSub = round(bar*100/total,1)
| fields - total

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-30-2014 03:25 PM

All you should need to do, is to add a final line to your search, eliminating the fields you don't want:

XXXXXX NOT(resultType=XXXX) activity=foo OR activity=bar
| timechart span=1h count by activity
| eval total = foo + bar
| eval percAddTrials = round(foo*100/total,1)
| eval percAddSub = round(bar*100/total,1)
| fields - total
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...