Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Charting values are not right

johnblakley
Explorer
‎10-24-2017 03:02 PM

I'm seeing a weird problem that I've been banging my head on today. I have the following search:

index="tap" eventType="messagesDelivered" OR eventType="messagesBlocked" | stats count(eval(eventType=="messagesBlocked")) AS Blocked, count(eval(eventType=="messagesDelivered")) AS Delivered | eval Total=(Blocked+Delivered) | eval divided = Blocked/Total | eval Percent_Blocked=round((divided*100),0)."%" | fields Blocked,Delivered,Total,Percent_Blocked

The search works fine, but it charts only the Blocked field and nothing else, so my pie chart is 100% Blocked and a single color. I'm wanting to chart the blocked and delivered as separate slices. I think it has something to do with my stats and eval command renaming.

The original data are from the field eventType. If I don't eval them to different fields, they show up as individual rows instead of columns - but this works:

alt text

If I do the original search with stats and eval, I get this:
alt text

Any ideas on how I can chart this based off of the Blocked and Delivered columns?

Thanks!

Preview file
15 KB
Preview file
21 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎10-24-2017 06:00 PM

I don’t think you’re going to be able to put that original search into a pie chart. Why do you need them in separate columns? Is it just for the total and percentage calculations? You can try ...|eventstats sum(count) as total|eval Percent=round((count/total)*100,0)."%"

View solution in original post

Reply
Solved! Jump to solution

DalJeanis
Legend
‎10-24-2017 06:08 PM

You are doing too much work for the system. Get lazier.

Try this...

 index="tap" eventType="messagesDelivered" OR eventType="messagesBlocked" 
| stats count by eventType

That should give you two records. Drop it into the pie chart, and you should get two slices on the pie.

If you want to clean up the names a little, add these two...

| rex mode=sed field=eventType "s/messages//g"
| rename eventType as Type

... and you can also add this for some additional options

| chart sum(count) by Type
0 Karma
Reply
Solved! Jump to solution

johnblakley
Explorer
‎10-25-2017 06:00 AM

This is how I received the chart at the top - minus cleaning it with sed. With this search though, I'm unable to show the % in the chart. Is there a way to chart messagesDelivered and messagesBlocked only, and still allow a 3rd row for Percentage (but not chart it).

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎10-25-2017 07:52 AM

@johnblakely - glad you got your answer from the inestimable @cmerriman.

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎10-24-2017 06:00 PM

I don’t think you’re going to be able to put that original search into a pie chart. Why do you need them in separate columns? Is it just for the total and percentage calculations? You can try ...|eventstats sum(count) as total|eval Percent=round((count/total)*100,0)."%"

Reply
Solved! Jump to solution

johnblakley
Explorer
‎10-25-2017 06:10 AM

Thanks! I was able to add this to the original search (with help from DalJeanis) and come up with a perfect chart with percentages. I'm not able to upload a screenshot to a comment, but here's the final search below:

index="tap" eventType="messagesDelivered" OR eventType="messagesBlocked" | stats count by eventType | rex mode=sed field=eventType "s/messages//g" | eventstats sum(count) as total|eval Percent=round((count/total)*100,0)."%" | rename eventType as Type, count as Totals | fields Type, Totals, Percent
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...