https://community.splunk.com/t5/Splunk-Search/help-on-a-count-for-doing-a-pie-chart/m-p/496949#M194722 <P>sorry , I misunderstood.</P> <P>First, try this to create a pie chart.</P> <PRE><CODE>| makeresults count=20 | streamstats count as user_count | eval username="test".user_count | eval Building_AP=random()%3+1 | eval Building_IT=random()%3+1 | stats count(eval(Building_AP==Building_IT)) as APnotITOP count(username) as Total | eval Total = Total - APnotITOP | eval tmp=1 | untable tmp category count | fields - tmp </CODE></PRE> <P>In this way, I think you should use <CODE>untable</CODE>. Therefore, <CODE>where</CODE> is not necessary,</P> <PRE><CODE>| search Building_IT=* | stats count(eval(Building_AP==Building_IT)) as APnotITOP count(USERNAME) as Total | eval Total = Total - APnotITOP | eval tmp=1 | untable tmp category count | fields - tmp </CODE></PRE> <P>thanks.</P> Thu, 03 Oct 2019 12:29:24 GMT to4kawa 2019-10-03T12:29:24Z https://community.splunk.com/t5/Splunk-Search/help-on-a-count-for-doing-a-pie-chart/m-p/496946#M194719 <P>hi</P> <P>From the code below, I need to do a pie chart with 2 labels<BR /> I am doing a first count in order to count the events | where NOT (Building_AP = Building_IT) <BR /> My question is simple<BR /> How to display a second label in the pie chart which count the totality of the events less the events | where NOT (Building_AP = Building_IT) ?<BR /> It means that i need a label which count the % of events | where NOT (Building_AP = Building_IT) and another label which count the % of the remaining events</P> <PRE><CODE>`test` [| inputlookup host.csv | table host | rename host as USERNAME ] | lookup YY.csv NAME as AP_NAME OUTPUT Building | lookup XX.csv HOSTNAME as USERNAME output BUILDING_CODE | eval Building=upper(Building) | stats last(Building) as Building_AP, last(BUILDING_CODE) as Building_IT by USERNAME | where NOT (Building_AP = Building_IT) AND isnotnull(Building_IT) | stats count as APnotITOP </CODE></PRE> <P>Thanks for your help</P> Wed, 30 Sep 2020 02:27:41 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-count-for-doing-a-pie-chart/m-p/496946#M194719 jip31 2020-09-30T02:27:41Z https://community.splunk.com/t5/Splunk-Search/help-on-a-count-for-doing-a-pie-chart/m-p/496947#M194720 <PRE><CODE> | where NOT (Building_AP = Building_IT) AND isnotnull(Building_IT) | stats count as APnotITOP </CODE></PRE> <P>⇨</P> <PRE><CODE>| search Building_IT=* | fillnull Building_AP,Building_IT | eval APnotITOP=(Building_IT / (Building_AP +Building_IT) * 100)."%" </CODE></PRE> <P>try it.</P> Wed, 02 Oct 2019 11:37:33 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-count-for-doing-a-pie-chart/m-p/496947#M194720 to4kawa 2019-10-02T11:37:33Z https://community.splunk.com/t5/Splunk-Search/help-on-a-count-for-doing-a-pie-chart/m-p/496948#M194721 <P>You mean replace<BR /> | where NOT (Building_AP = Building_IT) AND isnotnull(Building_IT) <BR /> | stats count as APnotITOP<BR /> By your code?<BR /> If yes, what do you do about the where condition?<BR /> I want to count the events where where NOT (Building_AP = Building_IT) AND isnotnull(Building_IT) and to count also all the events in order to do a pie after deleting events where Building_IT is empty (thats why I use isnotnull(Building_IT) )<BR /> So your query is not good </P> Wed, 30 Sep 2020 02:27:45 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-count-for-doing-a-pie-chart/m-p/496948#M194721 jip31 2020-09-30T02:27:45Z https://community.splunk.com/t5/Splunk-Search/help-on-a-count-for-doing-a-pie-chart/m-p/496949#M194722 <P>sorry , I misunderstood.</P> <P>First, try this to create a pie chart.</P> <PRE><CODE>| makeresults count=20 | streamstats count as user_count | eval username="test".user_count | eval Building_AP=random()%3+1 | eval Building_IT=random()%3+1 | stats count(eval(Building_AP==Building_IT)) as APnotITOP count(username) as Total | eval Total = Total - APnotITOP | eval tmp=1 | untable tmp category count | fields - tmp </CODE></PRE> <P>In this way, I think you should use <CODE>untable</CODE>. Therefore, <CODE>where</CODE> is not necessary,</P> <PRE><CODE>| search Building_IT=* | stats count(eval(Building_AP==Building_IT)) as APnotITOP count(USERNAME) as Total | eval Total = Total - APnotITOP | eval tmp=1 | untable tmp category count | fields - tmp </CODE></PRE> <P>thanks.</P> Thu, 03 Oct 2019 12:29:24 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-count-for-doing-a-pie-chart/m-p/496949#M194722 to4kawa 2019-10-03T12:29:24Z https://community.splunk.com/t5/Splunk-Search/help-on-a-count-for-doing-a-pie-chart/m-p/496950#M194723 <P>sorry,I misunderstood.</P> <P>First, try this to create a pie chart.</P> <P>| makeresults count=20<BR /> | streamstats count as user_count<BR /> | eval username="test".user_count<BR /> | eval Building_AP=random()%3+1<BR /> | eval Building_IT=random()%3+1<BR /> | stats count(eval(Building_AP==Building_IT)) as APnotITOP count(username) as Total<BR /> | eval Total = Total - APnotITOP<BR /> | eval tmp=1<BR /> | untable tmp category count<BR /> | fields - tmp</P> Wed, 30 Sep 2020 02:22:45 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-count-for-doing-a-pie-chart/m-p/496950#M194723 to4kawa 2020-09-30T02:22:45Z