hi. Thanks for above command. how can I tweak the above command to get total events for all day, so that I can view the percentage of events that are processed on a given day within timebucket (i.e 10% events processed in 0-10 mins, 25% events processed in 10-20 mins on 9/25/2016 (trans_date) and the same on 09/26/2016 (trans_date) etc)

Is it not giving you that right now? It is calculating the percentage based on total events.

With the above command I am getting individual columns per date . I actually want a chart that shows the following . X-axis should show the date and the column should be divided by events percentage for a given day.

y-Axis (time buckets)

30 % 35%
20 % 26%

10 % 12%

X-Axis 09/25 09/26

Give this a try..

your current search giving field Location, Processing_time, trans_date
 | bucket span=10 Processing_time 
 | stats count by trans_date Processing_time 
 | eventstats sum(count) as Total by trans_date
 | eval Percent=round(count*100/Total,2)
 | table trans_date, Processing_time Percent
 | rename Processing_time as DurationBucket | xyseries trans_date DurationBucket Percent

Hi. it is working to an extent. It is giving me multiple columns on the graph per date. I actually want to get a single column on the chart per date and that column should be shown in buckets with event percents. In this case, we will have dual y-axis. left Y-axis will show the percent and the right y-axis will show the average time . Not sure if this can be done in splunk.

Can you try my original answer with stacked chart option?

Hi. Thanks a lot for guidance. With the stacked chart option I was able to merge the events to a single column per date. In the same chart, Is there a way in splunk to show a line which gives the average time (i.e average time taken by events on a given day) ?

Give this a try. Select stacked chart option and in chart overlay select field AverageTime

your current search giving field Location, Processing_time, trans_date
| eventstats avg(Processing_time) as avg by trans_date
 | bucket span=10 Processing_time 
 | stats count values(avg) as avg by trans_date Processing_time 
 | eventstats sum(count) as Total by trans_date
 | eval Percent=round(count*100/Total,2)
 | table trans_date, Processing_time Percent avg
 | rename Processing_time as DurationBucket avg as AverageTime

Hi. With the above command I was able to get the average time with the overlay option but the columns are not stacked (even after selecting the stacked chart option). On a given date (trans_date) it is showing column for each DurationBucket.

See if solution for this post works for you.

https://answers.splunk.com/answers/81701/chart-overlay-and-different-graph-type.html

Thank you !! The following command you gave what I wanted.

your current search giving field Location, Processing_time, trans_date
| bucket span=10 Processing_time
| stats count by trans_date Processing_time
| eventstats sum(count) as Total by trans_date
| eval Percent=round(count*100/Total,2)
| table trans_date, Processing_time Percent
| rename Processing_time as DurationBucket | xyseries trans_date DurationBucket Percent

Hi- following is the mock table

Trans_date DurationBucket Percent
9/21/2016 0-10Mins 10.35
9/22/2016 10-20 Mins 25.23

And how is the percent calculated? Based on count of events for that day OR total events for all day?

based on count of events for that day. Thank you