I am trying to show on a line graph the percentage of failed login attempts in an authentication stream of events. Everything works but i just assume round the results when in the table view. I've tried inserting round() in a couple places but splunk yells at me for not having _time, not having any fields, or other reasons based on where I try to insert the function. The reality is having the decimal places doesn't detract in the line graph view but I've spent too long on this to just drop it 🙂
My search is designed to grab the eventtypes for authentication success and failure. Because those events also have additional eventtypes associated with them I have used the following to trim back to just the eventtypes I want to count. The math is basiclaly (failure / (failure+success))*100.
...| timechart eval(count(eval(eventtype="authentication_failure")) / (count(eval(eventtype="authentication_failure")) + count(eval(eventtype="authentication_success")))*100) AS rate
I can add a pipe on the end and do an "eval rate=round(rate)" but then you can't drill down into the results. If there is a better way to do this I'm all ears.
Mark
I don't believe that automatic row drill down is smart enough to handle this case, so if you're running this search from the flashtimeline, you're going to have to choose between a pretty-printed, rounded rate or a working row drill down.
If you want both, you'll have to build a view with a Custom drill down behavior against the SimpleResultsTable module where the results will be displayed.
I don't believe that automatic row drill down is smart enough to handle this case, so if you're running this search from the flashtimeline, you're going to have to choose between a pretty-printed, rounded rate or a working row drill down.
If you want both, you'll have to build a view with a Custom drill down behavior against the SimpleResultsTable module where the results will be displayed.
Got ya. Thanks for the answer.