Can you use a field as a filter in a dashboard wit...

djain · ‎09-27-2018

Hey splunkers,

This problem is haunting me. So I created a query to find a percentage on a RGU value that remains constant for the calculation of error_ rate and hence I wrote this Query:

(index=calls sourcetype="tc_detail_enriched") OR (index="calls" sourcetype="RGU"  (LoB="CDV" OR LoB = "HSD" OR LoB = "VIDEO" OR LoB = "XH"))
| eventstats sum(RGU) AS RGU_SUM
| bin _time span=1d as day   
| convert timeformat="%F" ctime(day) 
| eventstats  count(ACCOUNT_NUMBER) AS TC_CALLS by day
| eval error_rate = (TC_CALLS/RGU_SUM) * 100 
| stats values(error_rate) by day

However, I want to add a filter to the dashboard on the field LoB. Now the problem is that, since I have only selected the field RGU_SUM as Sum of all RGU fields, I'm unable to filter with LoB.

Vijeta · ‎09-27-2018

You can do
| eventstats sum(RGU) AS RGU_SUM by LoB

djain · ‎09-27-2018

Unfortunately that results in the error rate not getting calculated at all. Because I think "TC_CALLS by day" is making splunk unable to compare the 2

Vijeta · ‎09-27-2018

Before your last command of stats , the query is returning all the fields, you can filter using where just before stats command, or you can use |stats values(error_rate) by day lob

Can you use a field as a filter in a dashboard with the Sum function?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases