I'm trying to get the number of the field to appear in the pie chart. Currently with the following search and XML change I can get the label and the percentage of the field but would like all three to appear. Here is my search:
index=main source=mylog.log | chart latest(hardDriveUsed) as "Bytes Used" latest(hardDriveFree) as "Bytes Free" | transpose
I also add the following for the percentage in the XML (intentional spaces added between < >):
< option name="charting.chart.showPercent" >true < /option >
Any help would be greatly appreciated. Thanks!
DiscIaimer: I'm no Splunk expert. I was feeling guilty about asking so many questions here, so I thought I'd try to answer some, and I landed on yours. Lucky you! 😉
The trick (kludge) I've used is to append the byte values to the labels:
| makeresults | eval hardDriveUsed=100, hardDriveFree=200 | chart latest(hardDriveUsed) as "Used" latest(hardDriveFree) as "Free" | transpose column_name=Space | rename "row 1" as "Bytes" | eval Space = 'Space'." ".'Bytes'
That is, the eval
command replaces the values "Used" and "Free" with "Used 100" and "Free 200", respectively. (Unrealistically small byte values, I know. Sorry, I was in a hurry.)
I don't blame you if you think this answer is too ugly to accept!
DiscIaimer: I'm no Splunk expert. I was feeling guilty about asking so many questions here, so I thought I'd try to answer some, and I landed on yours. Lucky you! 😉
The trick (kludge) I've used is to append the byte values to the labels:
| makeresults | eval hardDriveUsed=100, hardDriveFree=200 | chart latest(hardDriveUsed) as "Used" latest(hardDriveFree) as "Free" | transpose column_name=Space | rename "row 1" as "Bytes" | eval Space = 'Space'." ".'Bytes'
That is, the eval
command replaces the values "Used" and "Free" with "Used 100" and "Free 200", respectively. (Unrealistically small byte values, I know. Sorry, I was in a hurry.)
I don't blame you if you think this answer is too ugly to accept!
Yes, I've seen the effect my answer has on the mouseover tooltip for each segment. However, given that you're already specifying showPercent
, I think it looks okay.
Just a thought: if the byte figures are big, you might want to show them in different units (here, megabytes):
eval Space = 'Space'." ".tostring(round('Bytes'/pow(2,20),1))." MB"
So I made a couple of changes, and it works great! (one small problem though):
| makeresults | eval hardDriveUsed=hardDriveUsedField, hardDriveFree=hardDriveFreeField| chart latest(hardDriveUsed) as "Used" latest(hardDriveFree) as "Free" | transpose column_name=Space | rename "row 1" as "Bytes" | eval Space = tostring(round('Bytes'/pow(2,20),1)). GB"." ".'Space'
Now my charting.fieldColors XML code doesn't work because I put the field values before the "Used" and "Available"
< option name="charting.fieldColors">{"Available":0x77aaff,"Used":0xff0000}< /option >
Any ideas on how to fix this? Thanks again!
Given time, and if the following solution doesn't work reliably, then I might (possibly; I'm not certain) be able to define tokens that contain the adjusted field names, and refer to those tokens in the <option>
. Or I might just be dreaming; it's late here (I'm in Perth, Australia, UTC+8).
Try replacing the fieldColors
option with this:
<option name="charting.seriesColors">[0xff0000, 0x77aaff]</option>
You might need to change the order of those colors, depending on the order of the fields in your search.
I'm not certain that seriesColors
, even when given the same number of colors as corresponding fields in the search, always assigns colors in the same order. It might; I just don't know for sure. It would be helpful if the Splunk docs were clearer on this specific point.
The changing of fieldColors to seriesColors as above worked perfectly. Thanks so much for your help Graham!
You're welcome! I'm glad I could help.
Some final points:
makeresults | eval hard...
commands that I used in my example search. I used those commands to dynamically generate data because I don't have your log. You don't need to use makeresults
with eval
to generate data; you have the data in your log.MB
string in my example to GB
. To calculate gigabytes from bytes, you need to divide the number of bytes by 2 to the power of 30: you need to change the pow(2,20)
function call to pow(2,30)
. (Guilty admission: in my original comment, which I edited shortly afterwards, I incorrectly used pow(2,10)
to convert bytes to megabytes. I did that because I was hastily copying'n'pasting from code that converted bytes to kilobytes. Sorry if that misled you.)I didn't use makeresults, I didn't even think that was a command, I was just assuming that you used that as a catch-all for my preceding code.
Also I changed it to GB because it turns out that the code is outputting in kilobytes and not bytes hence the fact that the pow function wasn't changed.
Thanks again for all your help!