Getting Data In

Can you use a field as a filter in a dashboard with the Sum function?

djain
Path Finder

Hey splunkers,

This problem is haunting me. So I created a query to find a percentage on a RGU value that remains constant for the calculation of error_ rate and hence I wrote this Query:

(index=calls sourcetype="tc_detail_enriched") OR (index="calls" sourcetype="RGU"  (LoB="CDV" OR LoB = "HSD" OR LoB = "VIDEO" OR LoB = "XH"))
| eventstats sum(RGU) AS RGU_SUM
| bin _time span=1d as day   
| convert timeformat="%F" ctime(day) 
| eventstats  count(ACCOUNT_NUMBER) AS TC_CALLS by day
| eval error_rate = (TC_CALLS/RGU_SUM) * 100 
| stats values(error_rate) by day

However, I want to add a filter to the dashboard on the field LoB. Now the problem is that, since I have only selected the field RGU_SUM as Sum of all RGU fields, I'm unable to filter with LoB.

0 Karma

Vijeta
Influencer

You can do
| eventstats sum(RGU) AS RGU_SUM by LoB

0 Karma

djain
Path Finder

Unfortunately that results in the error rate not getting calculated at all. Because I think "TC_CALLS by day" is making splunk unable to compare the 2

0 Karma

Vijeta
Influencer

Before your last command of stats , the query is returning all the fields, you can filter using where just before stats command, or you can use |stats values(error_rate) by day lob

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...