i have in issue with my pie chart
query:
index="customer_summary_info" | chart sum(event_category_*) | transpose
my pie show also the 0 results in the pie which is confusing
tried cont=false but it's not working
Here's a trick to how to think about splunk... chart
is a presentation command. When you are having trouble making it do what you want, then back up and do the calculation with stats
, then present the data after you are done with the statistical manipulation.
In this case, chart
is taking you the wrong direction. You immediately transposed the result, meaning you didn't want it presented sideways anyway.
index="customer_summary_info"
| fields event_category_*
| stats sum(event_category_*) as cat_* by index
Now you have a single record with all your event categories summarized.... pretty much the same as chart
gave you. To get rid of categories with zero results, there's a trick with untable
. (That's why I left another field in there, index
, although it might as well have been called dummy
)
| untable index Category Sum
| where Sum>0
| fields - index
You now have one record per non-zero Category, with "cat_*" in the field named Category, and the sum in the field named Sum. This should provide what you need for your pie chart.
Here's a trick to how to think about splunk... chart
is a presentation command. When you are having trouble making it do what you want, then back up and do the calculation with stats
, then present the data after you are done with the statistical manipulation.
In this case, chart
is taking you the wrong direction. You immediately transposed the result, meaning you didn't want it presented sideways anyway.
index="customer_summary_info"
| fields event_category_*
| stats sum(event_category_*) as cat_* by index
Now you have a single record with all your event categories summarized.... pretty much the same as chart
gave you. To get rid of categories with zero results, there's a trick with untable
. (That's why I left another field in there, index
, although it might as well have been called dummy
)
| untable index Category Sum
| where Sum>0
| fields - index
You now have one record per non-zero Category, with "cat_*" in the field named Category, and the sum in the field named Sum. This should provide what you need for your pie chart.
i changed the query:
index="customer_summary_info" | fields event_category_* | stats sum(event_category_) as "cat_" by Dummy | untable Dummy Category Sum | where Sum>0 | fields - Dummy
and now it show no results at all
removed the "by Dummy" and now it works
thanks 🙂