Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to calculate a percentage for my timechart?

k_harini
Communicator
‎11-22-2016 06:03 AM

I have to calculate % of SLA missed over time.

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status |addtotals| foreach * [eval sla_perc = count * 100 /Total]

Not sure why this is not working. Please help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 06:50 AM

Try this

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status | addtotals| foreach * [eval <<FIELD>>=if(<<FIELD>>==Total, <<FIELD>>, <<FIELD>>/Total)]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 06:50 AM

Try this

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status | addtotals| foreach * [eval <<FIELD>>=if(<<FIELD>>==Total, <<FIELD>>, <<FIELD>>/Total)]
0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:25 AM

which field should i compare with Total.. I just need %.. (count/total)*100 for all values...

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 09:31 AM

<<FIELD>> represents each field in the "table". In this case, it will exclude fieldName=Total. Are you not seeing correct results?

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:38 AM

ok thanks.. I'm not getting results.. 😞

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 10:18 AM

If the field names are numerical, enclose <<FIELD>> within single quotes - '<<FIELD>>'

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 10:56 AM

Thank you so much.. it worked.. foreach * [eval <>=round('<>'*100/Total].. I was struggling with this for such a long time..

0 Karma
Reply
Solved! Jump to solution

PPape
Contributor
‎11-22-2016 06:14 AM

1.) what is the result you get?
2.) in your foreach [eval sla_perc = count 100 /Total] statement... shouldnt the count be a sla_count?
Asking because in the timechart you define count as sla_count "|timechart count as sla_count by sla_status "

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:24 AM

I get results till Total.. Not getting %.. yes.. it was sla_count.. First did with count and then tried with alias too.. Not working

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...