Dashboards & Visualizations

Pie chart show 0 results

mcohen13
Loves-to-Learn

i have in issue with my pie chart
query:
index="customer_summary_info" | chart sum(event_category_*) | transpose

my pie show also the 0 results in the pie which is confusing
tried cont=false but it's not working

Tags (1)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Here's a trick to how to think about splunk... chart is a presentation command. When you are having trouble making it do what you want, then back up and do the calculation with stats, then present the data after you are done with the statistical manipulation.

In this case, chart is taking you the wrong direction. You immediately transposed the result, meaning you didn't want it presented sideways anyway.

index="customer_summary_info"
| fields event_category_*
| stats sum(event_category_*) as cat_* by index

Now you have a single record with all your event categories summarized.... pretty much the same as chart gave you. To get rid of categories with zero results, there's a trick with untable. (That's why I left another field in there, index, although it might as well have been called dummy)

| untable index Category Sum
| where Sum>0
| fields - index

You now have one record per non-zero Category, with "cat_*" in the field named Category, and the sum in the field named Sum. This should provide what you need for your pie chart.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Here's a trick to how to think about splunk... chart is a presentation command. When you are having trouble making it do what you want, then back up and do the calculation with stats, then present the data after you are done with the statistical manipulation.

In this case, chart is taking you the wrong direction. You immediately transposed the result, meaning you didn't want it presented sideways anyway.

index="customer_summary_info"
| fields event_category_*
| stats sum(event_category_*) as cat_* by index

Now you have a single record with all your event categories summarized.... pretty much the same as chart gave you. To get rid of categories with zero results, there's a trick with untable. (That's why I left another field in there, index, although it might as well have been called dummy)

| untable index Category Sum
| where Sum>0
| fields - index

You now have one record per non-zero Category, with "cat_*" in the field named Category, and the sum in the field named Sum. This should provide what you need for your pie chart.

0 Karma

mcohen13
Loves-to-Learn

i changed the query:
index="customer_summary_info" | fields event_category_* | stats sum(event_category_) as "cat_" by Dummy | untable Dummy Category Sum | where Sum>0 | fields - Dummy
and now it show no results at all

0 Karma

mcohen13
Loves-to-Learn

removed the "by Dummy" and now it works
thanks 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...