Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- MultiStage Sankey Diagram Count Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using this as a reference:
https://answers.splunk.com/answers/470198/how-to-create-a-multistage-sankey-diagram-with-a-s.html
I am trying to build a sankey diagram to map requests from source to a status (in this case action = success or failure):
index=win* | stats count by src dest action
| appendpipe [stats count by src dest | rename src as source, dest AS target]
| appendpipe [stats count by dest action | rename dest as source, action AS target]
But the problem is that it gives me a count of the actions (which there are only 2 possible actions), and not an actual count
So the original search:
index=win* | stats count by src dest action
gives me a table like:
src | dest | action | count
ip1 srv1 failure 218
ip1 srv1 success 300
ip1 srv2 failure 1579
ip1 srv2 success 216
ip2 srv1 failure 1418
ip2 srv1 success 141
ip2 srv2 failure 97
ip2 srv2 success 1031
(there would be 8 combinations)
But the appendpipe to create the sankey:
| appendpipe
[stats count by src dest
| rename src as source, dest AS target]
| appendpipe
[stats count by dest action
| rename dest as source, action AS target]
| search source=*
| fields source target count
gives me a table like:
source | target | count
ip1 srv1 2
ip1 srv2 2
ip2 srv1 2
ip2 srv2 1
srv1 action1 2
srv1 action2 2
srv2 action1 2
srv2 action 2 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Managed to solve this problem by adding
index=win* | stats count by src dest action | rename count as realCount
| appendpipe [stats sum(realCount) as count by src dest | rename src as source, dest AS target]
| appendpipe [stats sum(realCount) as count by dest action | rename dest as source, action AS target]
| search source=*
| fields source target count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the answer on one of the comments:
| table src dest action
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This doesn't solve the issue
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
