Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Editing the other value for a pie chart

Abass42
Communicator
a week ago

I have a query that is executing a stats count by source type, as we want to see how many sensitive files leave our firm and the quantity. I am doing an appendcols and then transposing

Abass42_0-1746733170271.png

In the dashboard, the pie chart look like:

Abass42_1-1746733282019.png

 

 

index=fortinet dlpextra IN (WatermarkBlock1,Log_WatermarkBlock2,Log_WatermarkBlock3,Log_WatermarkBlock4)  | lookup DataF.csv dlpextra OUTPUT C_Label as C_Label
| stats count as Proxy
| appendcols
    [search index=iron AutomaticClassification
| lookup IPort_Class.csv DLP_Class OUTPUT C_Label as C_Label
| stats count as Email]

| appendcols
    [search index=035 "Common.DeviceName"="p151.d.com" OR Common.DeviceName="p1p71.c.com" "SensitiveInfoTypeData{}.SensitiveInfoTypeName"=*
| table SensitiveInfoTypeData{}.SensitiveInfoTypeName 
| stats count as SFTP
]
| appendcols
    [search index=testing sourcetype="net:alert" dlp_rule="AZ C*"
| eval dlp_rule=replace(dlp_rule, "AB", "")
| stats count as Netskope]
| transpose
| rename "row 1" as Count

My question is, how would you edit the Splunk query to rename the column name to the value I provided instead of Other. 

DO i even need a transpose? That has been the best way I have found for creating a pie chart out of different data sources. 

Preferably, id like to understand how to do that with the JSON formatting I get with Dashboard studio, as well as figure out how to do it inline, within the query. 

 

Thanks

 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
a week ago

Try this query that does not use appends or transpose.

(index=fortinet dlpextra IN (WatermarkBlock1,Log_WatermarkBlock2,Log_WatermarkBlock3,Log_WatermarkBlock4))
OR (index=035 "Common.DeviceName"="p151.d.com" OR Common.DeviceName="p1p71.c.com" "SensitiveInfoTypeData{}.SensitiveInfoTypeName"=*)
OR (index=iron AutomaticClassification)
OR (index=testing sourcetype="net:alert" dlp_rule="AZ C*")
| eval type = case(index=fortinet, "Proxy",
                   index=iron, "Email",
                   index=035, "SFTP",
                   index=testing, "Netskope",
                   1==1, "Unknown")
| stats count by type
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Abass42
Communicator
a week ago

I am working on implementing this query, but I need to rename and standardize the output to the C_Label values so i can stats count on those. I need a count per source. I dont think i cram my eval statements with the OR statements. Ill try to incorporate this in my query

 

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...