Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I display our search results as a percent in a single value panel?

j_r
Path Finder
‎12-16-2018 03:58 AM

Hi
my basesearch...

index = lc source= X
|stats count by status

...gets me the amount status by status:

Status Amount
Available 88
InProgress 45
UnAvailable 3

I would like to display the utilization (InProgress/Total) as percent with a single value panel. I tried already with a subsearch an eval, but it didn't work 😕

Tags (1)
0 Karma
Reply

niketn
Legend
‎12-16-2018 06:01 AM

@j_r from your requirement seems like you need percent of InProgress and Total over time so that Single Value has both percent and Sparkline for trend. This is different from stats which is overall Total and percent.

Try the following:

 index = lc source= X
| timechart count as Total count(eval(status="InProgress")) as InProgress
| eval perc=round((InProgress/Total)*100,2)
| fillnull value=0
| table _time perc

Following is a run anywhere search based on Splunk's _internal index and splunkd_ui_access sourcetype which give Success % access over time on similar lines.

index=_internal sourcetype=splunkd_ui_access
| timechart count as Total count(eval(status=200)) as Success
| eval perc=round((Success/Total)*100,2)
| fillnull value=0
| table _time perc
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

renjith_nair
Legend
‎12-16-2018 04:24 AM

@j_r,

Try

index = lc source= X  |stats count by status
|eventstats sum(count) as total
|eval perc=round((count/total)*100,2)
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

j_r
Path Finder
‎12-16-2018 04:35 AM

this gives me the results i need. Thanks 🙂
but how can i display the utilization (InProgress/Toatal) as a single value panel?

0 Karma
Reply

renjith_nair
Legend
‎12-16-2018 04:40 AM

@j_r,
Do you want to show only In Progress or for all status? Also do you want to show actual perc (40%) or as a string (InProgress/Total) for eg. (40/100) ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

j_r
Path Finder
‎12-16-2018 04:45 AM

I would like to show the actual perc (result of InProgress/Total) as a single value panel including sparklines and trend indicators.

0 Karma
Reply

renjith_nair
Legend
‎12-16-2018 05:02 AM

Sparklines and trend indicators can be used only if you have a trend, i.e. value of this utilization over a period of time. A simple single value visualization based on perc is below. It has both conditions - for single value and for a trend

<dashboard>
  <label>Single Value Utilization</label>
  <row>
    <panel>
      <title>Single Value Based on "Single Value" Not A "Trend"</title>
      <single>
        <search>
          <query>index=_* earliest=-1m
| stats count by index
| eventstats sum(count) as _total
| eval perc=round((count/_total)*100,2)
| fields perc,index
| where index="_internal"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051","0xf8be34","0xdc4e41"]</option>
        <option name="rangeValues">[50,80]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Single Value Based on "Trend"</title>
      <single>
        <search>
          <query>index=_internal 
| timechart count span=1m</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
</dashboard>
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...