How to generate timechart for eventstats per minut...

rithick · ‎10-30-2019

index=something     | rex field=_raw ".*\&WST=(?P<MMMId>[^&]+).*"     | search Googly     | dedup MMMId     | bucket_time span=1m    | eventstats count as Total_Volume    | rex field=_raw "&PCS=(?<MMM_Status>\d)\&"     | search MMM_Status="1"     | stats count as Volume values(Total_Volume) as Grand by MMM_Status     | eval MMM_Status=(Volume/Grand)*100.0    | table MMM_Status

i am unable to get MMM_Status per minute for the last 10 minutes. Any inputs.

arjunpkishore5 · ‎11-01-2019

If I understand your question right, this should do the trick

 index=something  Googly   
 | rex field=_raw ".*\&WST=(?P<MMMId>[^&]+).*"     
 | dedup MMMId
 | rex field=_raw "&PCS=(?<MMM_Status>\d)\&"      
 | timechart span=1m count as Grand, count(eval(MMM_Status=="1")) as Volume 
 | eval MMM_Status=(Volume/Grand)*100.0    
 | fields - Volume, Grand

Hope this helps.

Cheers!

kmaron · ‎11-01-2019

Try this

index=something 
| rex field=_raw ".*\&WST=(?P<MMMId>[^&]+).*" 
| search Googly 
| dedup MMMId 
| bucket _time span=1m 
| rex field=_raw "&PCS=(?<MMM_Status>\d)\&" 
| stats count as Volume by MMM_Status _time
| eventstats count as Grand
| search MMM_Status="1"
| eval MMM_Status=(Volume/Grand)*100.0 
| timechart span=1m max(MMM_Status)

How to generate timechart for eventstats per minute for multisearch

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk