How to use "where" clause in my search to timechar...

gpanicker · ‎01-10-2015

I need to timechart the percentage of the sum of Field1 based on the value of Field2 preferably using single query

For Eg. Field2 can be either true or false, I need (sum(Field1) when Field2=true ) / sum(Field1) * 100

something like this , but this not working

index=iis sourcetype=tracelog  | fields _time, noOfDays, IsPivot| search | where (IsPivot=true) | stats sum(noOfDays) as DaysTrue |

and then timechart the percentage of DaysTrue over time

stephanefotso · ‎01-11-2015

hello! try this:

index=iis sourcetype=tracelog | table _time  noOfDays  IsPivot| search  IsPivot=true | stats sum(noOfDays) as DaysTrue by IsPivot _time| join [search  index=iis sourcetype=tracelog | table _time, noOfDays, IsPivot| search  IsPivot=true | stats sum(noOfDays) as sum2]|eval per=sum/sum2*100 | chart values(per) as percentage by _time|head 10

example:

index= _internal| table _time sourcetype  component max_size_kb |search sourcetype=splunkd| stats sum(max_size_kb) as sum by sourcetype _time |join [search index= _internal| table _time sourcetype  component max_size_kb |search sourcetype=splunkd| stats sum(max_size_kb) as sum2]|eval per=sum/sum2*100 | chart values(per) as percentage by _time|head 10

SGF

How to use "where" clause in my search to timechart the percentage of the sum of Field1 based on the value of Field2?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!