Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a pie chart based on "keywords" found in a field?

shinabar22
New Member
‎09-23-2019 01:15 PM 
index=timswindows sourcetype=ActiveDirectory
   [search index=timswindows sourcetype=WinEventLog EventCode=4624 Account_Name!="-"
   | dedup Account_Name
   | stats values(Account_Name) as sAMAccountName]
| dedup distinguishedName
|fields sAMAccountName, distinguishedName, host
|chart count by distinguishedName

The field in question is "distinguishedName".

There about 4 possible keywords that could be in this field.

How do I filter them out in the chart?

0 Karma
Reply

woodcock
Esteemed Legend
‎09-23-2019 03:14 PM

It should work the way that you have it. What exactly is the problem? Post sample events and a mockup of your desired outcome when you followup.

0 Karma
Reply

shinabar22
New Member
‎09-24-2019 08:51 AM

The output I get using the original syntax generates a chart with data from the field "distinguishedName."

The problem is, it shows 34 events. Some are duplicate users but different categories.

Example of a events currently in this field:

distinguishedName="CN=JoeSmith,OU=2019,OU=Dinner,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=JoeSmith,OU=2019,OU=snack,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=TheGrinch,OU=2019,OU=snack,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=TheGrinch,OU=2019,OU=breakfast,OU=Cafeteria,DC=nnv,DC=doi,DC=net"

In the distinguishedName field there about 4 possible keywords assigned to each user.
I want to search the field for a keyword, then show 4 keyword categories: breakfast, lunch, snack, dinner in my pie chart.

I want my pie chart to show how many times a "dinner" event occurred. This way I wont see Joes name 20 times on the chart. He will show up as one event for dinner and twice under snack.

The chart will only show 4 keyword categories:
breakfast - 1
lunch - 0
snack - 2
dinner - 1

0 Karma
Reply

abhi04
Communicator
‎09-23-2019 02:53 PM

You need to add the transforming command i.e.

| stats count by distinguishedName.

Check the Statistics table after running the search to make sure that a single series generated. The table should have two columns.
DIstinguishedName and its values.

After this click on the visualization tab and click on Pie chart.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...