topic Re: help on complex dynamic pie chart in Splunk Search

help on complex dynamic pie chart

jip31 — Sun, 15 Dec 2019 14:25:10 GMT

Hello

I use the search below in order to display datas in a pie chart
As you can see in my eval command, I agregate different services in order to disply them in a single name like "McAFEE" or "Windows native process".
My need is to be able to click on the on the "McAFEE" laber or the "Windows native process" label in order to display a new pie chart with the services in relation with this label
For McAFEE, its for example "mfev%", "mcdatrep", "mcshield", "amupdate", "McScript_InUse", "macompatsvc" , "FrameworkService" OR "McScanCheck"
Could you help me please??

`CPU` 
| fields process_cpu_used_percent host process_name 
| where process_cpu_used_percent>50 
| dedup host process_name 
| eval process_name=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield" OR process_name=="amupdate" OR process_name=="McScript_InUse" OR process_name=="macompatsvc" OR process_name=="FrameworkService" OR process_name=="McScanCheck", "McAFEE", process_name like "Wmi%", "WMI", process_name=="conhost", "CMD Windows console", process_name=="csrss" OR process_name=="System" OR process_name=="TiWorker" OR process_name=="msfeedssync" OR process_name=="msiexec" OR process_name=="rundll32" OR process_name=="services" OR process_name like "svchost%" OR process_name=="OneDriveSetup" OR process_name=="poqexec" OR process_name=="unsecapp" OR process_name=="TabTip" OR process_name=="Memory_Compression" OR process_name=="SetupHost" OR process_name=="WerFault" OR process_name=="explorer" OR process_name=="mscorsvw" OR process_name=="sppsvc" OR process_name=="ngen" OR process_name=="spoolsv" OR process_name=="SrTasks" OR process_name=="policyHost" OR process_name=="dwm" OR process_name=="perf-test-9c" OR process_name like "SearchProtocolHost%" OR process_name like "RuntimeBroker%" OR process_name like "LogonUI%", "Windows native process", process_name=="taskhost", "Tasks scheduler")
| stats count(host) as Total by process_name 
| sort -Total

Re: help on complex dynamic pie chart

to4kawa — Mon, 16 Dec 2019 08:54:12 GMT

BASE SEARCH:

`CPU` 
| eval PROCESS=case(process_name like "mfev%" OR process_name like "mcdatrep" OR process_name=="mcshield" OR process_name=="amupdate" OR process_name=="McScript_InUse" OR process_name=="macompatsvc" OR process_name=="FrameworkService" OR process_name=="McScanCheck", "McAFEE", process_name like "Wmi%", "WMI", process_name=="conhost", "CMD Windows console", process_name=="csrss" OR process_name=="System" OR process_name=="TiWorker" OR process_name=="msfeedssync" OR process_name=="msiexec" OR process_name=="rundll32" OR process_name=="services" OR process_name like "svchost%" OR process_name=="OneDriveSetup" OR process_name=="poqexec" OR process_name=="unsecapp" OR process_name=="TabTip" OR process_name=="Memory_Compression" OR process_name=="SetupHost" OR process_name=="WerFault" OR process_name=="explorer" OR process_name=="mscorsvw" OR process_name=="sppsvc" OR process_name=="ngen" OR process_name=="spoolsv" OR process_name=="SrTasks" OR process_name=="policyHost" OR process_name=="dwm" OR process_name=="perf-test-9c" OR process_name like "SearchProtocolHost%" OR process_name like "RuntimeBroker%" OR process_name like "LogonUI%", "Windows native process", process_name=="taskhost", "Tasks scheduler")

McAfee or Win:

| stats dc(eval(if(process_cpu_used_percent > 50,host,NULL))) as Total by PROCESS

Process_selected:

| where PROCESS==$your_token|s$
| stats dc(eval(if(process_cpu_used_percent > 50,host,NULL))) as Total by process_name
| sort 0 - Total

I think it is easy to make three charts obediently.

Re: help on complex dynamic pie chart

jip31 — Mon, 16 Dec 2019 12:34:41 GMT

Thanks for your answer
If I well understand I have to replace my original search by your search?
More I dont understand | where PROCESS==$your_token|s$
Do I have to enter the name of the process here? Like McAFEE or Windows native process?

Re: help on complex dynamic pie chart

to4kawa — Mon, 16 Dec 2019 16:46:10 GMT

I thought you would make a dashboard, so I attached it to receive a drill-down token.
yes, you will put the PROCESS("McAFEE","Windows native process","Tasks scheduler")

Re: help on complex dynamic pie chart

jip31 — Tue, 17 Dec 2019 07:07:03 GMT

Sorry but I had a doubt 😉
so for summarize
1) I keep my search in the main dash
2) I create a drilldown with your search linked to my search? Do I have to add something in advanced parameters?
And are you sure that if I click on the McAFEE pie label from my search it will only open a pie chart with the McAFEE sub processes?
thanks

Re: help on complex dynamic pie chart

to4kawa — Tue, 17 Dec 2019 12:04:30 GMT

1 yes.
2 as you like.
Advanced parameters are not necessary.
When I created a dashboard on a trial basis, it was possible to drill down.