Dashboards & Visualizations

How to show both values and percentages bar chart?

maayan
Path Finder

Hi,

Too many hours to solve such a simple question...It is supposed to be a basic thing

I want to present both percentages and regular values in bar chart (it can be in the tooltip, like it exists in a pie chart),
If not possible to present only percentages but add the "%" symbol (when I tried to add % it converted the fields to string and nothing was shown in the chart)

* I can't add a js script, no access to the server

This is my query:
| stats sum(CountEvents) by CT
| rename "sum(CountEvents)" as "countE"
| eventstats sum(countE) as Total
| eval perc=round(countE*100/Total,2)
| chart sum(perc) as "EventsPercentages[%]" over CT

thanks a lot

Labels (1)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

I'm not sure if I understand your need, but maybe this helps?

| stats sum(CountEvents) as countE by CT
| eventstats sum(countE) as Total
| eval perc=round(countE*100/Total,2)
| chart sum(perc) as "EventsPercentages[%]" values(countE) as countE over CT

Then in visualisation tab select Format -> Chart Overlay

- > Overlay (e.g.  your % field) and View as Axis = On

r. Ismo

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I'm not sure if I understand your need, but maybe this helps?

| stats sum(CountEvents) as countE by CT
| eventstats sum(countE) as Total
| eval perc=round(countE*100/Total,2)
| chart sum(perc) as "EventsPercentages[%]" values(countE) as countE over CT

Then in visualisation tab select Format -> Chart Overlay

- > Overlay (e.g.  your % field) and View as Axis = On

r. Ismo

0 Karma

maayan
Path Finder

Can we show them in one row? for example: 
223,229 (45%)

it will look much better

0 Karma

isoutamo
SplunkTrust
SplunkTrust
You could try eval foo = bar . “(“ . zaa . “%)” or something similar. Then fields - <other unneeded fields>
0 Karma

maayan
Path Finder

Thanks but how to present that in a bar chart? (to add foo to my bar chart). I can present that only in a table

| stats sum(CountEvents) by CT
| rename "sum(CountEvents)" as "countE"
| eventstats sum(countE) as Total
| eval perc=round(countE*100/Total,2)
| eval foo = countE . "(" . perc ."%" .")"
| fields - Total perc

0 Karma

maayan
Path Finder

i added:
| xyseries CT,foo,countE
 to my query i think its ok 🙂

0 Karma

isoutamo
SplunkTrust
SplunkTrust
If needed you could add "|fillnull value=0" at the end.
0 Karma

maayan
Path Finder

Hi thanks
not soo petty, but good enough as a workaround
Do you know how can I add "%" to each value?

current query:
| stats sum(CountEvents) by CT
| rename "sum(CountEvents)" as "CountEvents"
| eventstats sum(CountEvents) as Total
| eval percentages%=round(CountEvents*100/Total,2)
| fields - Total

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...