Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a pie chart based on total vs specific app logins?

daveywfii
Explorer
‎02-07-2023 10:25 AM

I am looking to create a simple pie chart that contrasts the total number of users during any give timeframe vs how many logged into a specific app. I am probably over thinking this, but what I did is a search for distinct_count of users during a period and then joined another search that calculates the distinct_count of users that logged into a specific app over that same period. For example: 

index="okta" "outcome.result"=SUCCESS displayMessage="User single sign on to app"
| stats dc(actor.alternateId) as "Total Logins"
| join [ | search index="okta" "target{}.displayName"="Palo Alto Networks - Prisma Access"  "outcome.result"=SUCCESS displayMessage="User single sign on to app"
| stats dc(actor.alternateId) as "Total Palo Logins"]
| table  "Total Palo Logins" "Total Logins"



Only issue is I can't get a proper pie graph of the percentage of Palo Logins vs Total Logins. Any help would be appreciated. I am sure I am missing something simple here. 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

caiosalonso
Path Finder
‎02-07-2023 11:30 AM

Undesrtood. Now I tried to eval two new fields that would be the percentage of Palo Alto Logins and Total Logins, and them I used the transpose to return rows as columns. Is this the results you expect?

index="okta" "outcome.result"=SUCCESS displayMessage="User single sign on to app"
| stats dc(actor.alternateId) as "Total Logins"
| join [ | search index="okta" "target{}.displayName"="Palo Alto Networks - Prisma Access"  "outcome.result"=SUCCESS displayMessage="User single sign on to app"
| stats dc(actor.alternateId) as "Total Palo Logins"]
| table  "Total Palo Logins", "Total Logins"
| eval "Total Palo Logins Percentage" = round("Total Palo Logins"*100/"Total Logins", 2)
| eval "Total Logins Percentage" = 100 - round("Total Palo Logins"*100/"Total Logins", 2)
| table "Total Palo Logins Percentage", "Total Logins Percentage"
| transpose

Don't know if this was the best way to calculate the percentage, but It seems to be working.

View solution in original post

Reply
Solved! Jump to solution

caiosalonso
Path Finder
‎02-07-2023 10:55 AM

Hi,

You can try using the transpose command to return your rows as columns, so you can get a pie chart from your query.

index="okta" "outcome.result"=SUCCESS displayMessage="User single sign on to app"
| stats dc(actor.alternateId) as "Total Logins"
| join [ | search index="okta" "target{}.displayName"="Palo Alto Networks - Prisma Access"  "outcome.result"=SUCCESS displayMessage="User single sign on to app"
| stats dc(actor.alternateId) as "Total Palo Logins"]
| table  "Total Palo Logins" "Total Logins"
| transpose

 

Reply
Solved! Jump to solution

daveywfii
Explorer
‎02-07-2023 11:12 AM

So this gets me a pie graph of Total Logins and Total Palo Logins, but I wanted a pie graph of the total palo logins as percentage of the total and not as two separate percentages in the graph. 

0 Karma
Reply
Solved! Jump to solution
Solution

caiosalonso
Path Finder
‎02-07-2023 11:30 AM

Undesrtood. Now I tried to eval two new fields that would be the percentage of Palo Alto Logins and Total Logins, and them I used the transpose to return rows as columns. Is this the results you expect?

index="okta" "outcome.result"=SUCCESS displayMessage="User single sign on to app"
| stats dc(actor.alternateId) as "Total Logins"
| join [ | search index="okta" "target{}.displayName"="Palo Alto Networks - Prisma Access"  "outcome.result"=SUCCESS displayMessage="User single sign on to app"
| stats dc(actor.alternateId) as "Total Palo Logins"]
| table  "Total Palo Logins", "Total Logins"
| eval "Total Palo Logins Percentage" = round("Total Palo Logins"*100/"Total Logins", 2)
| eval "Total Logins Percentage" = 100 - round("Total Palo Logins"*100/"Total Logins", 2)
| table "Total Palo Logins Percentage", "Total Logins Percentage"
| transpose

Don't know if this was the best way to calculate the percentage, but It seems to be working.

Reply
Solved! Jump to solution

daveywfii
Explorer
‎02-07-2023 12:10 PM

Hey thanks for the suggestion. It worked as long as I used single quotes inside the (), but I ended up going a "simpler" way to display the difference between them.

index="okta" "outcome.result"=SUCCESS displayMessage="User single sign on to app"
| stats dc(actor.alternateId) as "Total Logins"
| join [ | search index="okta" "target{}.displayName"="Palo Alto Networks - Prisma Access" "outcome.result"=SUCCESS displayMessage="User single sign on to app"
| stats dc(actor.alternateId) as "Users Logging into Prisma"]
| table "Users Logging into Prisma", "Total Logins"
| eval "Users Not Using Prisma"=('Total Logins' - 'Users Logging into Prisma')
| table "Users Logging into Prisma", "Users Not Using Prisma"
| transpose

As a side question, how are you doing the markup to designate SPL? 

0 Karma
Reply
Solved! Jump to solution

caiosalonso
Path Finder
‎02-07-2023 12:16 PM

Good it helped you.

I use the option to insert code on the formatting tab, as HTML/XML. It doesn't have an option for SPL, but It makes the code more clear to read.

caiosalonso_0-1675800938102.png

 

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...