Dashboards & Visualizations

How to create a pie chart based on "keywords" found in a field?

shinabar22
New Member
index=timswindows sourcetype=ActiveDirectory
   [search index=timswindows sourcetype=WinEventLog EventCode=4624 Account_Name!="-"
   | dedup Account_Name
   | stats values(Account_Name) as sAMAccountName]
| dedup distinguishedName
|fields sAMAccountName, distinguishedName, host
|chart count by distinguishedName

The field in question is "distinguishedName".

There about 4 possible keywords that could be in this field.

How do I filter them out in the chart?

0 Karma

woodcock
Esteemed Legend

It should work the way that you have it. What exactly is the problem? Post sample events and a mockup of your desired outcome when you followup.

0 Karma

shinabar22
New Member

The output I get using the original syntax generates a chart with data from the field "distinguishedName."

The problem is, it shows 34 events. Some are duplicate users but different categories.

Example of a events currently in this field:

distinguishedName="CN=JoeSmith,OU=2019,OU=Dinner,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=JoeSmith,OU=2019,OU=snack,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=TheGrinch,OU=2019,OU=snack,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=TheGrinch,OU=2019,OU=breakfast,OU=Cafeteria,DC=nnv,DC=doi,DC=net"

In the distinguishedName field there about 4 possible keywords assigned to each user.
I want to search the field for a keyword, then show 4 keyword categories: breakfast, lunch, snack, dinner in my pie chart.

I want my pie chart to show how many times a "dinner" event occurred. This way I wont see Joes name 20 times on the chart. He will show up as one event for dinner and twice under snack.

The chart will only show 4 keyword categories:
breakfast - 1
lunch - 0
snack - 2
dinner - 1

0 Karma

abhi04
Communicator

You need to add the transforming command i.e.

| stats count by distinguishedName.

Check the Statistics table after running the search to make sure that a single series generated. The table should have two columns.
DIstinguishedName and its values.

After this click on the visualization tab and click on Pie chart.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...