- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: two values in piechart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my search ik got a field called 'days' . This field is generated through counting the number of days between two different dates. If i use this field in a pie chart ik see (of course) all the different values (e.g. 0 , 1, 16,321 etc.) and the count of these. I would like to generate a piechart with only two counts. number of count <14 days and number of count >14 days . Is this possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this...
your search that gets days
| stats count as daycount by days
| eval days = if(days<=14,"14-","15+")
| stats sum(daycount) as daycount by days
My practice is to always rename the count field if anything is going to happen with it other than presentation. This avoids the potential situation where in a later stats or timestats either you or Splunk might get confused as to which count you are talking about, the one that came out of a prior step or the one it is calculating itself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this...
your search that gets days
| stats count as daycount by days
| eval days = if(days<=14,"14-","15+")
| stats sum(daycount) as daycount by days
My practice is to always rename the count field if anything is going to happen with it other than presentation. This avoids the potential situation where in a later stats or timestats either you or Splunk might get confused as to which count you are talking about, the one that came out of a prior step or the one it is calculating itself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your help. In your example you already did a rename or do i understand you wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes...
| stats count as daycount
...calculates the count, but calls it daycount.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Mike6960, can you please add more details about what you have and what you want. Possibly some mock data from current table and required table. Do you need something like this? Since you have asked for a pie chart I am hoping there should be multiple rows in your required table.
days count
14 20
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have something like this as output:
days count
0 16
2 3
7 33
16 9
17 3
etc.. . What ik would like is to have two values voor the piechart. In this case count of 52 for <14 days and a count of 12 for > 14 days. In this way ik can represent two values in the chart
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
