Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to calculate a percentage for my timechart?

k_harini
Communicator
‎11-22-2016 06:03 AM

I have to calculate % of SLA missed over time.

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status |addtotals| foreach * [eval sla_perc = count * 100 /Total]

Not sure why this is not working. Please help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 06:50 AM

Try this

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status | addtotals| foreach * [eval <<FIELD>>=if(<<FIELD>>==Total, <<FIELD>>, <<FIELD>>/Total)]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 06:50 AM

Try this

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status | addtotals| foreach * [eval <<FIELD>>=if(<<FIELD>>==Total, <<FIELD>>, <<FIELD>>/Total)]
0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:25 AM

which field should i compare with Total.. I just need %.. (count/total)*100 for all values...

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 09:31 AM

<<FIELD>> represents each field in the "table". In this case, it will exclude fieldName=Total. Are you not seeing correct results?

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:38 AM

ok thanks.. I'm not getting results.. 😞

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 10:18 AM

If the field names are numerical, enclose <<FIELD>> within single quotes - '<<FIELD>>'

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 10:56 AM

Thank you so much.. it worked.. foreach * [eval <>=round('<>'*100/Total].. I was struggling with this for such a long time..

0 Karma
Reply
Solved! Jump to solution

PPape
Contributor
‎11-22-2016 06:14 AM

1.) what is the result you get?
2.) in your foreach [eval sla_perc = count 100 /Total] statement... shouldnt the count be a sla_count?
Asking because in the timechart you define count as sla_count "|timechart count as sla_count by sla_status "

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:24 AM

I get results till Total.. Not getting %.. yes.. it was sla_count.. First did with count and then tried with alias too.. Not working

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...