Solved: Re: How to create a pie chart of percentages out o...

smhsplunk · ‎10-13-2016

Trying to do a pie chart out of just numeric values, getting values from different tokens and using them for this piechart, I just want to show them as % of the entire sum of numeric token values. How do you create a list of values for piechart?

index=main host="*"
| eval token1="$token1$"
| eval token2="$token2$"
| eval token3="$token3$"
| eval token4 = "$token4$"
| eval token_times = list(token1, token2, token3, token4)
| stats values by token_times

somesoni2 · ‎10-14-2016

I think something like this would work (first line is just to generate a single row where token fields can be created)

Updated

| gentimes start=-1 
| eval token1="$token1$"
 | eval token2="$token2$"
 | eval token3="$token3$"
 | eval token4 = "$token4$"
| table token*  | eval token=1 | untable token tokens value | table tokens value

View solution in original post

somesoni2 · ‎10-14-2016

I think something like this would work (first line is just to generate a single row where token fields can be created)

Updated

| gentimes start=-1 
| eval token1="$token1$"
 | eval token2="$token2$"
 | eval token3="$token3$"
 | eval token4 = "$token4$"
| table token*  | eval token=1 | untable token tokens value | table tokens value

smhsplunk · ‎10-14-2016

This again gives me a table with all values, but when I try to convert it into a piechart using visualization it shows a single color for the entire piechart (currently it shows)

token0: 0
token1: 55%
token1%: 100%

I don't have pie slices per tokens

somesoni2 · ‎10-14-2016

Try updated answer.

smhsplunk · ‎10-14-2016

This is great, this works, last question is it possible to change the token names after the last line, I tried to do but it retains the old token labels as token1, token2...

somesoni2 · ‎10-14-2016

What do you want it to be changed as? I guess you can just create the field with the name you want at the first place and you should be good (update token name in eval and table command)

smhsplunk · ‎10-14-2016

yup thanks!

jkat54 · ‎10-13-2016

Need a mvexpand in there to create 4 rows each with ts own token value before you take to pie chart...

  ... (Your 1st 4 evals) ...
  | eval a=mvzip(token1,token2) | eval b=mvzip(token3,token4) | eval allTokens=mvzip(a,b) | mvexpand allTokens | eval count=allTokens | stats count by allTokens

jkat54 · ‎10-13-2016

You may be able to skip the first 4 evals if you use the tokens in the mvzips instead

smhsplunk · ‎10-13-2016

Its giving me a piechart with a single color and single label "token1,token2,token2..."

jkat54 · ‎10-13-2016

What search did you end up with?

jkat54 · ‎10-13-2016

Wait, what value is supposed to fill the pieces of the pie and what label should label the pie pieces?

Your providing one value for each field via the token. I assume you want that as the value/count. So then token1, token2, token3, and token4 should be the labels?

jkat54 · ‎10-13-2016

Maybe this:

  index=main host="*" | eval token1="$token1$"| eval token2="$token2$"| eval token3="$token3$"| eval token4 = "$token4$"| chart values(token*) by token*

smhsplunk · ‎10-14-2016

Please see this simplified example (this doesnt work)

index=main host="*"
             | eval token1=10
              | eval token2=20
              | eval token3=30 | stats values(token*) by token*

so I would like the piechart to have labels 10 (20% slice), 20 (40% slice) and 30 (60% slice)
The correct slices are more important than labels i guess..

How to create a pie chart of percentages out of just numeric token values?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes