Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display a pie from different values summing some of them

canyavall
New Member
‎03-05-2020 04:49 AM

Hi All, I need to show a pie for failed and succeed values, we know those values from the field "type" but 3 of them would be considered failed and 1 succeed

This is the current search:
type="bootup.bootupFailed" OR type="ForcedPortalReload" OR type="ClassLoadingFailed" OR type="allWidgetsInitializedAndLoaded" | stats dc(devRef) count by type

Of course this one is showing me a pie with all 4... but I need the pie to show only succeed and failed
failed -> type="bootup.bootupFailed" OR type="ForcedPortalReload" OR type="ClassLoadingFailed"
succeed -> type="allWidgetsInitializedAndLoaded"

How can I do it?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2020 05:49 AM

Try this

type="bootup.bootupFailed" OR type="ForcedPortalReload" OR type="ClassLoadingFailed" OR type="allWidgetsInitializedAndLoaded" 
| eval type = case(type=="allWidgetsInitializedAndLoaded", "succeed", 1==1, "failed")
| stats dc(devRef) count by type
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2020 05:49 AM

Try this

type="bootup.bootupFailed" OR type="ForcedPortalReload" OR type="ClassLoadingFailed" OR type="allWidgetsInitializedAndLoaded" 
| eval type = case(type=="allWidgetsInitializedAndLoaded", "succeed", 1==1, "failed")
| stats dc(devRef) count by type
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

canyavall
New Member
‎03-05-2020 05:54 AM

Awesome, thank you very much!!!

I already checked the command case for eval, now I understand it, thank you!!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...