- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- using variables in a search + to store number of r...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search | timechart span=h count | streamstats count as row
that gives me 24 rows: (1 full day at an hourly level)
_time count row
1 2016-02-20 00:00 2 1
2 2016-02-20 01:00 2 2
...
23 2016-02-20 22:00 2 23
24 2016-02-20 23:00 2 24
what I want to do is get a total of the count and then divide this by (NumberOfRows*2)*100
| timechart span=h count | stats sum(count) as total | eval percent=total/24*2*100 which will give me:
total percent
1 48 100
How do I set NumberOfRows to be a variable storing the number of rows dynamically, 24 for 1 day, or if I do it for 2 days it would be 48 ....etc.
Or is there a better way of doing this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I feel like there's probably a better way to accomplish what you're trying to get after, but it's late and my brain is shutting down. But to answer your question maybe, I think this should work.
| timechart span=h count | stats sum(count) as total dc(_time) as numRows | eval percent=total/numRows*2*100
that should get you the distinct count of values for _time, which after the timechart should be one for each row.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I feel like there's probably a better way to accomplish what you're trying to get after, but it's late and my brain is shutting down. But to answer your question maybe, I think this should work.
| timechart span=h count | stats sum(count) as total dc(_time) as numRows | eval percent=total/numRows*2*100
that should get you the distinct count of values for _time, which after the timechart should be one for each row.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tks, | timechart span=h count | stats sum(count) as total dc(_time) as numRows | eval percent=total/(numRows*2)*100 just had to add the brackets.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
