https://community.splunk.com/t5/Dashboards-Visualizations/Filter-Data/m-p/543700#M37280 <P>I have a large list of data.&nbsp; I want to only see lines that include certain words.&nbsp; ie would be: Restart.&nbsp; I want to see all mins that are spent to restart a product.&nbsp; I want to create categories for certain words sum the the mins and have it in a pie chart.&nbsp; So the line item may say...restarted&gt;RESTARTED&gt;re started&gt; etc.&nbsp; I want to captured the information in one section of the pie.&nbsp; I can do a google hangout if anyone would like to work with me on this.</P> Sat, 13 Mar 2021 22:37:07 GMT pglover12 2021-03-13T22:37:07Z https://community.splunk.com/t5/Dashboards-Visualizations/Filter-Data/m-p/543700#M37280 <P>I have a large list of data.&nbsp; I want to only see lines that include certain words.&nbsp; ie would be: Restart.&nbsp; I want to see all mins that are spent to restart a product.&nbsp; I want to create categories for certain words sum the the mins and have it in a pie chart.&nbsp; So the line item may say...restarted&gt;RESTARTED&gt;re started&gt; etc.&nbsp; I want to captured the information in one section of the pie.&nbsp; I can do a google hangout if anyone would like to work with me on this.</P> Sat, 13 Mar 2021 22:37:07 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Filter-Data/m-p/543700#M37280 pglover12 2021-03-13T22:37:07Z https://community.splunk.com/t5/Dashboards-Visualizations/Filter-Data/m-p/543702#M37281 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170665">@pglover12</a>&nbsp;</P><P>If you events do not include a duration, you'll need to calculate one from a start and end event. For example:</P><LI-CODE lang="javascript">Mar 13 00:23:00 host1 food: Restarted. Mar 13 00:15:00 host1 food: Restarting...</LI-CODE><P>where host=host1 and process=food.</P><LI-CODE lang="javascript">host=* process=* Restarting Restarted | transaction host process startswith=Restarting endswith=Restarted | eval duration_mins=duration / 60 | eval category=host.":".process | stats sum(duration_mins) by category</LI-CODE><P>You can include multiple variations on start and end indicators.</P><P>The transaction command doesn't necessarily scale well, but a more detailed example of your source data would be required to provide a more scalable solution.</P> Sat, 13 Mar 2021 23:00:28 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Filter-Data/m-p/543702#M37281 tscroggins 2021-03-13T23:00:28Z https://community.splunk.com/t5/Dashboards-Visualizations/Filter-Data/m-p/543715#M37282 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170665">@pglover12</a>,</P><P>you have to identify the words to use for data classification and use them, e.g.:</P><P>error: error, panic, critical</P><P>authentication: login, logout, logfail</P><P>etc...</P><LI-CODE lang="markup">your-search | eval type=case(searchmatch("error","error", searchmatch("panic","error", searchmatch("critical","error", searchmatch("login","authentication", searchmatch("logout","authentication",searchmatch("logfail","authentication") | stats count BY type</LI-CODE><P>use this search as an approach for your searches.</P><P>Ciao.</P><P>Giuseppe</P> Sun, 14 Mar 2021 07:15:42 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Filter-Data/m-p/543715#M37282 gcusello 2021-03-14T07:15:42Z