Splunk Search

Concatenate field and count to display label in pie chart

philallen1
Path Finder

Hi

This is my query:

Username="*"   | top limit=10000 Username

This gives me a table with many rows, where the first row looks like this:

Username               count    percent
Vivek Lamba (lambav)   607      10.483592

I then view this data using a Pie Chart in my Dashboard.

Currently the labels on the pie chart only display the Username. How can I change my query so that the labels display:
"Username - count"
(i.e. "Vivek Lamba (lambav) - 607")

I've tried adding in an eval command like so:

Username="*"   |  eval UserPlusCount = Username + "-" + count | top limit=10000 UserPlusCount

...but I get 'No results found"

What am I doing wrong?

Thanks

0 Karma

gun1989
New Member

Hi Can we add a dynamic result to a header ?

0 Karma

gfuente
Motivator

Hello

try this:

...|  eval UserPlusCount = Username. "-". count |...

If it doesnt works, rename the count as other field

Regards

philallen1
Path Finder

Sorry I'm new to Splunk. How would the full query look? When I remove the 'top' piece of the query it breaks altogether. What should I replace it with?

Username="*" | stats count as Username by myfield | eval UserPlusCount = Username. "-". myfield | ...(i.e. what should go here)...

Thanks

0 Karma

gfuente
Motivator

try:

Instead of top, use: ... | stats count as myfield by Username | eval UserPlusCount = Username. "-". myfield |...

EDIT: Now I noticed, you have to do the eval after the top command, then you have the count field, and you can use it in the eval.

0 Karma

philallen1
Path Finder

I just tried:

Username="*" | eval UserPlusCount = Username. "-". Username| top limit=10000 UserPlusCount

And that did bring back data in a table like so:

Vivek Lamba (lambav) - Vivek Lamba (lambav) 607 10.483592

However, when I change "Username" to "count" it doesn't work at all! Any ideas?

0 Karma

philallen1
Path Finder

Hi gfuente - thanks for you're unbelievably quick reply.

I tried this:
Username="*" | eval UserPlusCount = Username. "-". count | top limit=10000 UserPlusCount
as you suggested and it didn't work. "No results found"

What do you mean by:
"rename the count as other field"?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!