Dashboards & Visualizations

Pie Chart AppendCol Data


I have successfully used appendcol to gather percentage of successful and failed scans. I would like to make this data into a pie chart for my dashboard. 

When I click visualization-> pie chart it is all one color. 


Here is my search 


index="secops" sourcetype="tenable:sc:vuln" plugin_id=19506 pluginText!="*Host_Scan*" | dedup ip | search pluginText="*Credentialed checks : no*" | stats count(plugin_id) as failed_scans | appendcols [search index="secops" sourcetype="tenable:sc:vuln" plugin_id=19506 pluginText!="*Host_Scan*" | dedup ip | search pluginText="*Credentialed checks : yes*" | stats count(plugin_id) as successful_scans] | eval total_scans=(failed_scans+successful_scans) | eval failed_percent=(failed_scans/total_scans*100) | eval failed_percent=round(failed_percent,2) | eval success_percent=(successful_scans/total_scans*100) | eval success_percent=round(success_percent,2) | table success_percent failed_percent



Thank you in advanced. 

Labels (1)
0 Karma


Corrected typo for match() condition which does not need *


@fbond_diligent  as your final pipe if you add transpose command it should show Pie chart (convert result columns to rows).


| transpose


However, there are a lot of performance steps that you need to adopt. https://docs.splunk.com/Documentation/Splunk/8.0.5/Search/Writebettersearches

  1. Filter only required events from index based on pluginText as yes and no.
  2. Perform stats using specific fields to deduplicate instead dedup with all the fields.
  3. Avoid subsearch as it introduces sub-search limitations (which may drop events if you hit limit).
  4. Chain eval as single eval for performance and simple code.



index="secops" sourcetype="tenable:sc:vuln" plugin_id=19506 pluginText!="*Host_Scan*" pluginText IN ("*Credentialed checks : yes*","*Credentialed checks : no*") 
| stats count as total_scans count(eval(match(pluginText,"Credentialed checks : no"))) as failed_scans count(eval(match(pluginText,"Credentialed checks : yes"))) as successful_scans by ip 
| stats sum(*_scans) as *_scans 
| eval failed_percent=round((failed_scans/total_scans*100),2), success_percent=round((success_percent/total_scans*100),2) 
| fields success_percent failed_percent 
| transpose 0 header_field="status" 
| rename "row 1" as percent


| makeresults | eval message= "Happy Splunking!!!"
0 Karma



Thank you for your reply, I will take a look at the website your provided. 

However when I try your search I am getting the following error:

Error in 'stats' command: The eval expression for dynamic field 'eval(match(pluginText,"*Credentialed checks : no*"))' is invalid. Error='Regex: quantifier does not follow a repeatable item'.


Thank you,



0 Karma


@fbond_diligent sorry for the copy paste issue. match() condition is regex based. So * is not required. Please check updated SPL.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...