Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to calculate a percentage for my timechart?

k_harini
Communicator
‎11-22-2016 06:03 AM

I have to calculate % of SLA missed over time.

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status |addtotals| foreach * [eval sla_perc = count * 100 /Total]

Not sure why this is not working. Please help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 06:50 AM

Try this

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status | addtotals| foreach * [eval <<FIELD>>=if(<<FIELD>>==Total, <<FIELD>>, <<FIELD>>/Total)]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 06:50 AM

Try this

basesearch|dedup ID|EVAL sla_status = case(Status like "Closed MPT Warning%","Closed-MPT Warning",Status like "Closed MPT Exceeded%","Closed-MPT Exceeded",Status like "Closed IRT Exceeded%","Closed-IRT Exceeded",Status like "Closed IRT Warning%","Closed-IRT Warning",Status like "Closed%","Closed") |timechart count as sla_count by sla_status | addtotals| foreach * [eval <<FIELD>>=if(<<FIELD>>==Total, <<FIELD>>, <<FIELD>>/Total)]
0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:25 AM

which field should i compare with Total.. I just need %.. (count/total)*100 for all values...

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 09:31 AM

<<FIELD>> represents each field in the "table". In this case, it will exclude fieldName=Total. Are you not seeing correct results?

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:38 AM

ok thanks.. I'm not getting results.. 😞

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 10:18 AM

If the field names are numerical, enclose <<FIELD>> within single quotes - '<<FIELD>>'

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 10:56 AM

Thank you so much.. it worked.. foreach * [eval <>=round('<>'*100/Total].. I was struggling with this for such a long time..

0 Karma
Reply
Solved! Jump to solution

PPape
Contributor
‎11-22-2016 06:14 AM

1.) what is the result you get?
2.) in your foreach [eval sla_perc = count 100 /Total] statement... shouldnt the count be a sla_count?
Asking because in the timechart you define count as sla_count "|timechart count as sla_count by sla_status "

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎11-22-2016 09:24 AM

I get results till Total.. Not getting %.. yes.. it was sla_count.. First did with count and then tried with alias too.. Not working

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...