Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display different values as different labels

wicke_s
Explorer
‎06-16-2020 08:10 AM

I am creating a splunk dashboard pie chart panel and the values I am displaying are too large (long strings) to be displayed in a small panel. Is it possible to display the chart values in a readable / concise labels?

For e.g., If the below is my sample query:

index=network sourcetype=logserver | stats dc(Field.ID) by Field.Message

 

If Field.Message is "All transfers were successful", I want to display just "Success" in the pie chart
If Field.Message is "Some transfers failed", I want to display just "Failed"

and so on..

 

What is the best way to achieve this? Thanks in advance

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmarling
Builder
‎06-16-2020 08:24 AM

Hello @wicke_s,

The simplest method would be to create an eval that adjusted the output of the Field.Message so it matches your requirements:

index=network sourcetype=logserver 
| eval "Field.Message"=case('Field.Message'="All transfers were successful", "Success", 'Field.Message'="Some transfers failed", "Failed", 1=1, "Other")
| stats dc(Field.ID) by Field.Message

If you have more messages that are unaccounted for you can modify it to be a bit more generic using LIKE:

index=network sourcetype=logserver 
| eval "Field.Message"=case('Field.Message' LIKE "%successful%", "Success", 'Field.Message' LIKE "%failed%", "Failed", 1=1, "Other")
| stats dc(Field.ID) by Field.Message

Ultimately that eval will need to account for all of your use cases or you will end up with a large "Other" bucket.

If this comment/answer was helpful, please up vote it. Thank you.

View solution in original post

Reply
Solved! Jump to solution

anilchaithu
Builder
‎06-16-2020 08:25 AM

@wicke_s 

you can change the field values in the query using the below logic. This will change the label in the pie chart 

index=network sourcetype=logserver | stats dc(Field.ID) by Field.Message | replace "All transfers were successful" with Success in Field.Message

Reply
Solved! Jump to solution
Solution

dmarling
Builder
‎06-16-2020 08:24 AM

Hello @wicke_s,

The simplest method would be to create an eval that adjusted the output of the Field.Message so it matches your requirements:

index=network sourcetype=logserver 
| eval "Field.Message"=case('Field.Message'="All transfers were successful", "Success", 'Field.Message'="Some transfers failed", "Failed", 1=1, "Other")
| stats dc(Field.ID) by Field.Message

If you have more messages that are unaccounted for you can modify it to be a bit more generic using LIKE:

index=network sourcetype=logserver 
| eval "Field.Message"=case('Field.Message' LIKE "%successful%", "Success", 'Field.Message' LIKE "%failed%", "Failed", 1=1, "Other")
| stats dc(Field.ID) by Field.Message

Ultimately that eval will need to account for all of your use cases or you will end up with a large "Other" bucket.

If this comment/answer was helpful, please up vote it. Thank you.
Reply
Solved! Jump to solution

wicke_s
Explorer
‎06-16-2020 08:37 AM

Thank you @dmarling , That worked. I have a follow up question about your "Other" bucket comment. What if not all the values of the Field.Message is known before hand? For e.g., Can we display

 

"All transfers were successful" as "Success"

"Some transfers failed" as "Failed"

and display all other Field.Message values as it is

0 Karma
Reply
Solved! Jump to solution

dmarling
Builder
‎06-16-2020 08:41 AM

You sure can.  Just modify it slightly:

 

| eval "Field.Message"=case('Field.Message'="All transfers were successful", "Success", 'Field.Message'="Some transfers failed", "Failed", 1=1, 'Field.Message')
If this comment/answer was helpful, please up vote it. Thank you.
Reply
Solved! Jump to solution

wicke_s
Explorer
‎06-16-2020 08:46 AM

@dmarling  Exactly what I was looking for, Thank you so much!!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...