https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303251#M165698 <P>I have something like this as output:</P> <P>days count<BR /> 0 16<BR /> 2 3<BR /> 7 33<BR /> 16 9<BR /> 17 3<BR /> etc.. . What ik would like is to have two values voor the piechart. In this case count of 52 for &lt;14 days and a count of 12 for &gt; 14 days. In this way ik can represent two values in the chart</P> Wed, 11 Oct 2017 11:39:45 GMT Mike6960 2017-10-11T11:39:45Z https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303249#M165696 <P>In my search ik got a field called 'days' . This field is generated through counting the number of days between two different dates. If i use this field in a pie chart ik see (of course) all the different values (e.g. 0 , 1, 16,321 etc.) and the count of these. I would like to generate a piechart with only two counts. number of count &lt;14 days and number of count &gt;14 days . Is this possible?</P> Wed, 11 Oct 2017 10:26:55 GMT https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303249#M165696 Mike6960 2017-10-11T10:26:55Z https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303250#M165697 <P>@Mike6960, can you please add more details about what you have and what you want. Possibly some mock data from current table and required table. Do you need something like this? Since you have asked for a pie chart I am hoping there should be multiple rows in your required table.</P> <PRE><CODE>days count 14 20 </CODE></PRE> Wed, 11 Oct 2017 11:26:10 GMT https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303250#M165697 niketn 2017-10-11T11:26:10Z https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303251#M165698 <P>I have something like this as output:</P> <P>days count<BR /> 0 16<BR /> 2 3<BR /> 7 33<BR /> 16 9<BR /> 17 3<BR /> etc.. . What ik would like is to have two values voor the piechart. In this case count of 52 for &lt;14 days and a count of 12 for &gt; 14 days. In this way ik can represent two values in the chart</P> Wed, 11 Oct 2017 11:39:45 GMT https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303251#M165698 Mike6960 2017-10-11T11:39:45Z https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303252#M165699 <P>Try something like this...</P> <PRE><CODE>your search that gets days | stats count as daycount by days | eval days = if(days&lt;=14,"14-","15+") | stats sum(daycount) as daycount by days </CODE></PRE> <HR /> <P>My practice is to always rename the <CODE>count</CODE> field if anything is going to happen with it other than presentation. This avoids the potential situation where in a later <CODE>stats</CODE> or <CODE>timestats</CODE> either you or Splunk might get confused as to which <CODE>count</CODE> you are talking about, the one that came out of a prior step or the one it is calculating itself. </P> Wed, 11 Oct 2017 12:57:19 GMT https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303252#M165699 DalJeanis 2017-10-11T12:57:19Z https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303253#M165700 <P>Thank you for your help. In your example you already did a rename or do i understand you wrong?</P> Wed, 11 Oct 2017 14:40:05 GMT https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303253#M165700 Mike6960 2017-10-11T14:40:05Z https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303254#M165701 <P>Yes...</P> <PRE><CODE>| stats count as daycount </CODE></PRE> <P>...calculates the count, but calls it daycount.</P> Wed, 11 Oct 2017 18:43:58 GMT https://community.splunk.com/t5/Splunk-Search/two-values-in-piechart/m-p/303254#M165701 DalJeanis 2017-10-11T18:43:58Z