Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a pie chart based on "keywords" found in a field?

shinabar22
New Member
‎09-23-2019 01:15 PM 
index=timswindows sourcetype=ActiveDirectory
   [search index=timswindows sourcetype=WinEventLog EventCode=4624 Account_Name!="-"
   | dedup Account_Name
   | stats values(Account_Name) as sAMAccountName]
| dedup distinguishedName
|fields sAMAccountName, distinguishedName, host
|chart count by distinguishedName

The field in question is "distinguishedName".

There about 4 possible keywords that could be in this field.

How do I filter them out in the chart?

0 Karma
Reply

woodcock
Esteemed Legend
‎09-23-2019 03:14 PM

It should work the way that you have it. What exactly is the problem? Post sample events and a mockup of your desired outcome when you followup.

0 Karma
Reply

shinabar22
New Member
‎09-24-2019 08:51 AM

The output I get using the original syntax generates a chart with data from the field "distinguishedName."

The problem is, it shows 34 events. Some are duplicate users but different categories.

Example of a events currently in this field:

distinguishedName="CN=JoeSmith,OU=2019,OU=Dinner,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=JoeSmith,OU=2019,OU=snack,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=TheGrinch,OU=2019,OU=snack,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=TheGrinch,OU=2019,OU=breakfast,OU=Cafeteria,DC=nnv,DC=doi,DC=net"

In the distinguishedName field there about 4 possible keywords assigned to each user.
I want to search the field for a keyword, then show 4 keyword categories: breakfast, lunch, snack, dinner in my pie chart.

I want my pie chart to show how many times a "dinner" event occurred. This way I wont see Joes name 20 times on the chart. He will show up as one event for dinner and twice under snack.

The chart will only show 4 keyword categories:
breakfast - 1
lunch - 0
snack - 2
dinner - 1

0 Karma
Reply

abhi04
Communicator
‎09-23-2019 02:53 PM

You need to add the transforming command i.e.

| stats count by distinguishedName.

Check the Statistics table after running the search to make sure that a single series generated. The table should have two columns.
DIstinguishedName and its values.

After this click on the visualization tab and click on Pie chart.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...