- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Can I easily set up a chart that displays the resu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a Splunk query that generates one value based on what's selected in the time span drop down. I want to generate a chart that would be the equivalent of running this query multiple times with "today," "yesterday," ... all the way back to 30 days ago selected in the drop down, with a separate bar in the chart for each day in the past month. Is there a simple way to do this?
Thanks,
Jonathan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try something like this:
index=my_index "abc" OR "def"
|bucket _time span=1d
|eval ATTEMPTED_ORDERS=if(like(_raw,"%abc%"),1,0)
|eval SUCCESSFUL_ORDERS=if(like(_raw,"%def%",1,0)
| stats sum(ATTEMPTED_ORDERS) as ATTEMPTED_ORDERS sum(SUCCESSFUL_ORDERS) as SUCCESSFUL_ORDERS by _time
| eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE _time PERCENT_SUCCESSFUL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
<search>
<query>your search here | timechart span=1d count(eval(searchmatch("abc")) AS ATTEMPTED_ORDERS count(eval(searchmatch("def")) AS UNSUCCESSFUL_ORDERS | eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | table _time PERCENT_SUCCESSFUL </query>
<earliest>$time.earliest$</earliest>
<latest>$time.earliest$-30d@d</latest>
</search>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try something like this:
index=my_index "abc" OR "def"
|bucket _time span=1d
|eval ATTEMPTED_ORDERS=if(like(_raw,"%abc%"),1,0)
|eval SUCCESSFUL_ORDERS=if(like(_raw,"%def%",1,0)
| stats sum(ATTEMPTED_ORDERS) as ATTEMPTED_ORDERS sum(SUCCESSFUL_ORDERS) as SUCCESSFUL_ORDERS by _time
| eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE _time PERCENT_SUCCESSFUL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked for me. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For a simple search index=_internal | stats count, it can be done with index=_internal | bucket span=1d _time | stats count by _time. (adding _time into mix with span as 1d). If you can share your query, we can suggest the same transformation for your search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the query:
index=my_index "abc" | STATS COUNT AS ATTEMPTED_ORDERS | appendcols [search index=my_index "def" | STATS COUNT AS SUCCESSFUL_ORDERS] | eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE PERCENT_SUCCESSFUL
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
