Solved: Including event count in chart results for Simple ...

splunk_svc · ‎10-05-2016

I'm trying to get a pie chart to display percentages of total results as well as the number of events for each eventtype reported.
(i.e. have the percentage and the event count for each segment of the pie chart displayed.

I can get the percentage displayed using this:

<option name="charting.chart.showPercent">true</option>

I don't see an equivalent option for displaying the event count however.

The only answer I could find was from a couple of years ago
(https://answers.splunk.com/answers/203082/pie-chart-legend-show-as-a-separate-element.html)
(Not exactly what I was looking for but would be a starting point)

It suggests running a second copy of the query and outputting the event count to another table in the same panel:
(sample query)

<panel>
  <chart>
    <searchString>sourcetype=access_* status=200 action=purchase | top categoryId</searchString>
    <earliestTime>0</earliestTime>
    <latestTime/>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">false</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">pie</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
  </chart>
  <table>
    <searchString>sourcetype=access_* status=200 action=purchase | top categoryId</searchString>
  </table>
</panel>

The issue with this is that it doubles the length of time it takes to generate the panel.
The query itself can take up to 20 seconds or so, which means waiting 40 seconds for the sake of getting the event count.

Is there a charting option similar to charting.chart.showPercent which can do this to avoid running the second query?

somesoni2 · ‎10-06-2016

Try this workaround (just the query update needed)

sourcetype=access_* status=200 action=purchase | top categoryId | eval categoryId=categoryId." ,".count

View solution in original post

somesoni2 · ‎10-06-2016

Try this workaround (just the query update needed)

sourcetype=access_* status=200 action=purchase | top categoryId | eval categoryId=categoryId." ,".count

splunk_svc · ‎10-06-2016

Thanks somesoni2. Worked like a treat.

Including event count in chart results for Simple XML dashboard

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk