Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using distinct count and eval in timechart (area chart)

Jurala
Explorer
‎08-17-2017 12:12 AM

To begin with, I'm a beginner in world of Splunk. I'm trying to create an area chart where I could track how many users are using the application, how many have completed the application (reached page 6) and how many users are using formManager. In query I've stated that if the user reaches page six, which is the last page of the application, the form is saved to formManager thus adding the user as formManager user. I'm using all three counts successfully as a single value panel in my dashboard but I would like to visualize it in a graph.

dc(user_id) as applicationUsers and count(eval(page_logging=6)) as completedForms works like a charm but dc(eval(page_logging=6)) as formManagerUsers returns only zero or one per hour in my area chart.

I'm using following query as single value to track formManager users:

index=prod sourcetype=application page_logging=6 | stats dc(user_id)

Here's my query for area chart:

index=prod sourcetype=application | timechart span=1h dc(user_id) as applicationUsers, count(eval(page_logging=6)) as completedForms, dc(eval(page_logging=6)) as formManagerUsers
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-17-2017 08:38 AM

The last calculation, and the results on it, make no sense to me.

eval(page_logging=6) has three possible values for any given record {null, true, false}. Null is not a value that dc counts, so for that formula, dc can only give 0, 1 or 2, and I'd expect it to vary between 1 and 2, mostly 2, if the field page_logging is usually present and if people commonly drop out and also people commonly finish. So, I'd go back and check your assumptions based on common sense expectations for the data.

You are really looking, I believe, for dc(user_id) where page_logging=6. I think my preference, as the most straightforward approach, would be preprocessing, but let me see if I can tease this out to code it your way...

It will be something like...

 dc(eval(if(page_logging=6,user_id,null()))) as formManagerUsers

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-17-2017 08:38 AM

The last calculation, and the results on it, make no sense to me.

eval(page_logging=6) has three possible values for any given record {null, true, false}. Null is not a value that dc counts, so for that formula, dc can only give 0, 1 or 2, and I'd expect it to vary between 1 and 2, mostly 2, if the field page_logging is usually present and if people commonly drop out and also people commonly finish. So, I'd go back and check your assumptions based on common sense expectations for the data.

You are really looking, I believe, for dc(user_id) where page_logging=6. I think my preference, as the most straightforward approach, would be preprocessing, but let me see if I can tease this out to code it your way...

It will be something like...

 dc(eval(if(page_logging=6,user_id,null()))) as formManagerUsers
Reply
Solved! Jump to solution

Jurala
Explorer
‎08-21-2017 10:58 PM

Thanks! Works as expected.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...