Dashboards & Visualizations

how to create a chart with percentage ?

gowthamkb
Explorer

Location Processing Time (minutes) trans_date


Central 21 09/21/2016
South East 40 09/22/2016

Is there a way I can get a chart with time buckets , y-axis-primary showing percentage (transactions), y-axis secondary showing processing_time (0-10 mins, 10-20 mins etc) and x axis showing trans_date ?

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try.

your current search giving field Location, Processing_time, trans_date
| bucket span=10 Processing_time 
| stats count by trans_date Processing_time 
| eventstats sum(count) as Total by trans_date
| eval Percent=round(count*100/Total,2)
| table trans_date, Processing_time Percent
| rename Processing_time as DurationBucket 

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try.

your current search giving field Location, Processing_time, trans_date
| bucket span=10 Processing_time 
| stats count by trans_date Processing_time 
| eventstats sum(count) as Total by trans_date
| eval Percent=round(count*100/Total,2)
| table trans_date, Processing_time Percent
| rename Processing_time as DurationBucket 
0 Karma

gowthamkb
Explorer

hi. Thanks for above command. how can I tweak the above command to get total events for all day, so that I can view the percentage of events that are processed on a given day within timebucket (i.e 10% events processed in 0-10 mins, 25% events processed in 10-20 mins on 9/25/2016 (trans_date) and the same on 09/26/2016 (trans_date) etc)

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is it not giving you that right now? It is calculating the percentage based on total events.

0 Karma

gowthamkb
Explorer

With the above command I am getting individual columns per date . I actually want a chart that shows the following . X-axis should show the date and the column should be divided by events percentage for a given day.

y-Axis (time buckets)

30 % 35%
20 % 26%

10 % 12%

X-Axis 09/25 09/26

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try..

your current search giving field Location, Processing_time, trans_date
 | bucket span=10 Processing_time 
 | stats count by trans_date Processing_time 
 | eventstats sum(count) as Total by trans_date
 | eval Percent=round(count*100/Total,2)
 | table trans_date, Processing_time Percent
 | rename Processing_time as DurationBucket | xyseries trans_date DurationBucket Percent
0 Karma

gowthamkb
Explorer

Hi. it is working to an extent. It is giving me multiple columns on the graph per date. I actually want to get a single column on the chart per date and that column should be shown in buckets with event percents. In this case, we will have dual y-axis. left Y-axis will show the percent and the right y-axis will show the average time . Not sure if this can be done in splunk.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you try my original answer with stacked chart option?

0 Karma

gowthamkb
Explorer

Hi. Thanks a lot for guidance. With the stacked chart option I was able to merge the events to a single column per date. In the same chart, Is there a way in splunk to show a line which gives the average time (i.e average time taken by events on a given day) ?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try. Select stacked chart option and in chart overlay select field AverageTime

your current search giving field Location, Processing_time, trans_date
| eventstats avg(Processing_time) as avg by trans_date
 | bucket span=10 Processing_time 
 | stats count values(avg) as avg by trans_date Processing_time 
 | eventstats sum(count) as Total by trans_date
 | eval Percent=round(count*100/Total,2)
 | table trans_date, Processing_time Percent avg
 | rename Processing_time as DurationBucket avg as AverageTime
0 Karma

gowthamkb
Explorer

Hi. With the above command I was able to get the average time with the overlay option but the columns are not stacked (even after selecting the stacked chart option). On a given date (trans_date) it is showing column for each DurationBucket.

0 Karma

somesoni2
SplunkTrust
SplunkTrust
0 Karma

gowthamkb
Explorer

Thank you !! The following command you gave what I wanted.

your current search giving field Location, Processing_time, trans_date
| bucket span=10 Processing_time
| stats count by trans_date Processing_time
| eventstats sum(count) as Total by trans_date
| eval Percent=round(count*100/Total,2)
| table trans_date, Processing_time Percent
| rename Processing_time as DurationBucket | xyseries trans_date DurationBucket Percent

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you provide some mock output (table) on what you data would look like?

0 Karma

gowthamkb
Explorer

Hi- following is the mock table

Trans_date DurationBucket Percent
9/21/2016 0-10Mins 10.35
9/22/2016 10-20 Mins 25.23

0 Karma

somesoni2
SplunkTrust
SplunkTrust

And how is the percent calculated? Based on count of events for that day OR total events for all day?

0 Karma

gowthamkb
Explorer

based on count of events for that day. Thank you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...