- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to change chart count to a percent value?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not know how to change count values to a percentage value and I couldn't find an answer by searching this forum, so maybe someone could help me please? thanks in advance
This is my search:
index=*
| fields eventDateTime,computerName,name,agentGuid,ID
| eval _timeepoch = strptime(eventDateTime,"%Y-%m-%d %H:%M")
| eval myDay = strftime(_timeepoch,"%A")
| eval myYear = strftime(_timeepoch,"%Y")
| eval myMonth = strftime(_timeepoch,"%m")
| where (myDay != "Saturday" AND myDay != "Sunday")
| lookup Workdays myYear myMonth OUTPUT Days
| chart count over computerName by name
| eval count=round(count*100/(Days*10),4)
| eval count=if(Servicetime>100,100.0000,Servicetime)
The last two evals were my idea to change the count values, but this does NOT work!Maybe also the lookup value isn't available after the chart function right? How can I do this? 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try like :
index=*
| fields eventDateTime,computerName,name,agentGuid,ID
| eval _timeepoch = strptime(eventDateTime,"%Y-%m-%d %H:%M")
| eval myDay = strftime(_timeepoch,"%A")
| eval myYear = strftime(_timeepoch,"%Y")
| eval myMonth = strftime(_timeepoch,"%m")
| where (myDay != "Saturday" AND myDay != "Sunday")
| lookup Workdays myYear myMonth OUTPUT Days
| chart count over computerName by name | eventstats sum(count) as Total by Days
| eval Percent=round(count*100/Total,4)
| eval count=if(Servicetime>100,100.0000,Servicetime)
or
your base search | stats count by computerName name | eventstats sum(count) as Total by Days | eval Percent=round(count*100/Total,4) | ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try like :
index=*
| fields eventDateTime,computerName,name,agentGuid,ID
| eval _timeepoch = strptime(eventDateTime,"%Y-%m-%d %H:%M")
| eval myDay = strftime(_timeepoch,"%A")
| eval myYear = strftime(_timeepoch,"%Y")
| eval myMonth = strftime(_timeepoch,"%m")
| where (myDay != "Saturday" AND myDay != "Sunday")
| lookup Workdays myYear myMonth OUTPUT Days
| chart count over computerName by name | eventstats sum(count) as Total by Days
| eval Percent=round(count*100/Total,4)
| eval count=if(Servicetime>100,100.0000,Servicetime)
or
your base search | stats count by computerName name | eventstats sum(count) as Total by Days | eval Percent=round(count*100/Total,4) | ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, now you brought me to this final and great result:
my base search | stats count by computerName name,atage
| eval Servicetime=round(count*100/(Days*11),4)
| eval Servicetime=if(Servicetime>100,100.0000,Servicetime)
| fields - Days,count
| chart sum(Servicetime) over computerName by name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct that the lookup fields would not be available after the stats. The only fields available to you after the stats are count, computerName and name.
If you use the "top" command, you should get a percent field automatically
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok thanks, but i cant use the top command because splunk can not know my definition for 100 percent. it depends on the lookup result. is there no way to do this?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
