I have a Splunk query that generates one value based on what's selected in the time span drop down. I want to generate a chart that would be the equivalent of running this query multiple times with "today," "yesterday," ... all the way back to 30 days ago selected in the drop down, with a separate bar in the chart for each day in the past month. Is there a simple way to do this?
Thanks,
Jonathan
Can you try something like this:
index=my_index "abc" OR "def"
|bucket _time span=1d
|eval ATTEMPTED_ORDERS=if(like(_raw,"%abc%"),1,0)
|eval SUCCESSFUL_ORDERS=if(like(_raw,"%def%",1,0)
| stats sum(ATTEMPTED_ORDERS) as ATTEMPTED_ORDERS sum(SUCCESSFUL_ORDERS) as SUCCESSFUL_ORDERS by _time
| eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE _time PERCENT_SUCCESSFUL
Like this:
<search>
<query>your search here | timechart span=1d count(eval(searchmatch("abc")) AS ATTEMPTED_ORDERS count(eval(searchmatch("def")) AS UNSUCCESSFUL_ORDERS | eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | table _time PERCENT_SUCCESSFUL </query>
<earliest>$time.earliest$</earliest>
<latest>$time.earliest$-30d@d</latest>
</search>
Can you try something like this:
index=my_index "abc" OR "def"
|bucket _time span=1d
|eval ATTEMPTED_ORDERS=if(like(_raw,"%abc%"),1,0)
|eval SUCCESSFUL_ORDERS=if(like(_raw,"%def%",1,0)
| stats sum(ATTEMPTED_ORDERS) as ATTEMPTED_ORDERS sum(SUCCESSFUL_ORDERS) as SUCCESSFUL_ORDERS by _time
| eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE _time PERCENT_SUCCESSFUL
This worked for me. Thanks!
For a simple search index=_internal | stats count
, it can be done with index=_internal | bucket span=1d _time | stats count by _time
. (adding _time into mix with span as 1d). If you can share your query, we can suggest the same transformation for your search.
Here is the query:
index=my_index "abc" | STATS COUNT AS ATTEMPTED_ORDERS | appendcols [search index=my_index "def" | STATS COUNT AS SUCCESSFUL_ORDERS] | eval UNSUCCESSFUL_ORDERS = ATTEMPTED_ORDERS - SUCCESSFUL_ORDERS |
eval PERCENT_SUCCESSFUL = (SUCCESSFUL_ORDERS/ATTEMPTED_ORDERS) * 100 | TABLE PERCENT_SUCCESSFUL