https://community.splunk.com/t5/All-Apps-and-Add-ons/Trouble-creating-a-Pie-Chart-with-URL-filtering/m-p/400623#M48873 <P>Thanks! This simplified things.</P> Fri, 23 Nov 2018 16:26:23 GMT DeanDeleon0 2018-11-23T16:26:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Trouble-creating-a-Pie-Chart-with-URL-filtering/m-p/400621#M48871 <P>Hello all!</P> <P>I am using the dashboards generated in the Palo Alto Networks App and attempting to divide the http_category (for URL filtering) to group them into specific other categories and then create a Pie Chart of the results. The results of the search add the count of each correctly, but I am unable to how this work "visually".</P> <P>Basically I want to flag specific "http_category" events as "Good", "Bad", and "Grey area" as an example. So that "Bad" could contain sports, shopping and games, "Good" could contain government, legal and news, etc...</P> <P>I am able to get correct numbers (by adding them up manually to verify) with this following search:</P> <PRE><CODE>| tstats values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="*" GROUPBY _time log.dest_name log.app:category log.http_category log.app log.action log.content_type log.vendor_action | rename log.* AS * | stats sum(eval(http_category="sports" OR http_category="shopping" OR http_category="games")) as bad, sum(eval(http_category="legal" OR http_category="government" OR http_category="news")) as good, sum(eval(http_category="music" OR http_category="religion" OR http_category="media")) as "grey area" </CODE></PRE> <P>Any suggestions on how I can resolve this or am I looking at this completely wrong? Any help with be very much appreciated.</P> <P>Thanks,</P> <P>Dean</P> Wed, 21 Nov 2018 21:02:45 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Trouble-creating-a-Pie-Chart-with-URL-filtering/m-p/400621#M48871 DeanDeleon0 2018-11-21T21:02:45Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Trouble-creating-a-Pie-Chart-with-URL-filtering/m-p/400622#M48872 <P>Rather than trying to sum an eval, my suggestion is to create a lookup. The lookup could have two columns: <CODE>http_category</CODE>, <CODE>http_category_verdict</CODE></P> <P>For each http category, set a verdict of <CODE>good</CODE>, <CODE>bad</CODE>, or <CODE>gray area</CODE>. Then, whenever you have results with an http_category field, just pipe to the lookup table:</P> <PRE><CODE>&lt;rest of search&gt; | lookup your-lookup-table http_category </CODE></PRE> <P>That will reference the lookup table and add a field called <CODE>http_category_verdict</CODE> to each log based on the http category of each log.</P> <P>Hope that helps!</P> Wed, 21 Nov 2018 23:20:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Trouble-creating-a-Pie-Chart-with-URL-filtering/m-p/400622#M48872 btorresgil 2018-11-21T23:20:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Trouble-creating-a-Pie-Chart-with-URL-filtering/m-p/400623#M48873 <P>Thanks! This simplified things.</P> Fri, 23 Nov 2018 16:26:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Trouble-creating-a-Pie-Chart-with-URL-filtering/m-p/400623#M48873 DeanDeleon0 2018-11-23T16:26:23Z