Hi,
With the support of Splunk's community, I have this search below. However, right now I would like to take the result and use the timechart command so I can see each hour. How do I do this?
index= "index_cbo_pt" "AcquirerResponseCode=0" | stats count as Result1 | appendcols [search index= "index_cbo_pt" "AcquirerResponseCode=0" | stats dc(MerchantCheckoutId) as Result2] | eval finalValue = Result1/Result2 | table finalValue Result1 Result2
Can somebody help me?
Im not sure why you want to do the 'appencols' in this search.
This should be the solution:
index=index_cbo_pt AcquirerResponseCode=0
| timechart span=1h count as Result1 dc(MerchantCheckoutId) as Result2
| eval finalValue = Result1/Result2
| fields _time finalValue Result1 Result2
Try it out.
Timechart requires a timestamp so remove the table line and use
timechart list(finalValue) WHATEVEROTHERPARAMETERSYOUWANT
I've tried the query bellow and haven't worked.
index= "index_cbo_pt" "AcquirerResponseCode=0" | stats count as Result1 | appendcols [search index= "index_cbo_pt" "AcquirerResponseCode=0" | stats dc(MerchantCheckoutId) as Result2] | eval finalValue = Result1/Result2 | timechart list(finalValue) count
thanks!
You don't need the last 'count'. Simply define a span and let the list represent all your values
Im not sure why you want to do the 'appencols' in this search.
This should be the solution:
index=index_cbo_pt AcquirerResponseCode=0
| timechart span=1h count as Result1 dc(MerchantCheckoutId) as Result2
| eval finalValue = Result1/Result2
| fields _time finalValue Result1 Result2
Try it out.
Thank your! It works!!