Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Pie chart show 0 results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have in issue with my pie chart
query:
index="customer_summary_info" | chart sum(event_category_*) | transpose
my pie show also the 0 results in the pie which is confusing
tried cont=false but it's not working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a trick to how to think about splunk... chart is a presentation command. When you are having trouble making it do what you want, then back up and do the calculation with stats, then present the data after you are done with the statistical manipulation.
In this case, chart is taking you the wrong direction. You immediately transposed the result, meaning you didn't want it presented sideways anyway.
index="customer_summary_info"
| fields event_category_*
| stats sum(event_category_*) as cat_* by index
Now you have a single record with all your event categories summarized.... pretty much the same as chart gave you. To get rid of categories with zero results, there's a trick with untable. (That's why I left another field in there, index, although it might as well have been called dummy)
| untable index Category Sum
| where Sum>0
| fields - index
You now have one record per non-zero Category, with "cat_*" in the field named Category, and the sum in the field named Sum. This should provide what you need for your pie chart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a trick to how to think about splunk... chart is a presentation command. When you are having trouble making it do what you want, then back up and do the calculation with stats, then present the data after you are done with the statistical manipulation.
In this case, chart is taking you the wrong direction. You immediately transposed the result, meaning you didn't want it presented sideways anyway.
index="customer_summary_info"
| fields event_category_*
| stats sum(event_category_*) as cat_* by index
Now you have a single record with all your event categories summarized.... pretty much the same as chart gave you. To get rid of categories with zero results, there's a trick with untable. (That's why I left another field in there, index, although it might as well have been called dummy)
| untable index Category Sum
| where Sum>0
| fields - index
You now have one record per non-zero Category, with "cat_*" in the field named Category, and the sum in the field named Sum. This should provide what you need for your pie chart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i changed the query:
index="customer_summary_info" | fields event_category_* | stats sum(event_category_) as "cat_" by Dummy | untable Dummy Category Sum | where Sum>0 | fields - Dummy
and now it show no results at all
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
removed the "by Dummy" and now it works
thanks 🙂
New Year, New Changes for Splunk Certifications
Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!
[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events
