Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to take the perc of each action and display it in a single value panel on a dashboard?

sbattista09
Contributor
‎09-09-2016 12:27 PM

If I wanted to take the perc of each action and display it in a single value panel on a dashboard, how would I go about doing so? 

base search | stats count by action | eventstats sum(count) as perc | eval perc=round(count*100/perc,2)

Results:

action  count   perc
action1   12       25
action2   12       25
action3   12       25
action4   12       25
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-09-2016 01:17 PM

Best (performance wise) option would to use post process in the dashboard. This will avoid running 4 searches. Try something like this for your dashboard xml. See this for more details http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Savedsearches#Post-process_searches. 

<search id="xyz">
   <query>base search | stats count by action | eventstats sum(count) as perc | eval perc=round(count*100/perc,2)</query>
<earliest>...
.....</latest>
 </search>
 <!-- post processing reference -->
 <single>
   <search base="xyz">
     <query> where action="action1" | table perc</query>
   </search>
 </single>
 <single>
   <search base="xyz">
     <query> where action="action2" | table perc</query>
   </search>
 </single>
 <single>
   <search base="xyz">
     <query> where action="action3" | table perc</query>
   </search>
 </single>
 <single>
   <search base="xyz">
     <query> where action="action4" | table perc</query>
   </search>
 </single>

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-09-2016 01:17 PM

Best (performance wise) option would to use post process in the dashboard. This will avoid running 4 searches. Try something like this for your dashboard xml. See this for more details http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Savedsearches#Post-process_searches. 

<search id="xyz">
   <query>base search | stats count by action | eventstats sum(count) as perc | eval perc=round(count*100/perc,2)</query>
<earliest>...
.....</latest>
 </search>
 <!-- post processing reference -->
 <single>
   <search base="xyz">
     <query> where action="action1" | table perc</query>
   </search>
 </single>
 <single>
   <search base="xyz">
     <query> where action="action2" | table perc</query>
   </search>
 </single>
 <single>
   <search base="xyz">
     <query> where action="action3" | table perc</query>
   </search>
 </single>
 <single>
   <search base="xyz">
     <query> where action="action4" | table perc</query>
   </search>
 </single>
Reply
Solved! Jump to solution

sbattista09
Contributor
‎11-07-2017 10:49 AM

interesting. i never tonight about doing this.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎09-09-2016 12:36 PM

Do this for each action/panel

base search | stats count by action | eventstats sum(count) as perc | eval perc=round(count*100/perc,2) | where action=action1 | fields perc

...etc

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...