Solved: Re: How can I invert my pie chart?

pranaynanda · ‎09-15-2017

I'm trying to create a pie chart in trellis view such that it shows me the number of jobs that ended in terminal or complete state. Right now the chart shows data by state and then divides the pie into months. I want the opposite. I want the headers to display months and the respective pie charts to be divided by state.

index="secretindex" host=$location$ sourcetype=Logs FinalState=TERMINAL OR FinalState=COMPLETE| timechart count(eval(FinalState="TERMINAL")) as TERMINAL, count(eval(FinalState="COMPLETE")) as COMPLETE span=1month

Please help!!

niketn · ‎09-15-2017

[Updated Answer]
With further details for trellis:
Please use the following option to split by Time field which should show Month as Trellis Pie Chart Header

    <option name="trellis.splitBy">Time</option>

PS: I have corrected span to 1mon as per suggestion and strftime() from %m to %b to show month abbreviation instead of month as number.

@pranaynanda, Try the following:

index="secretindex" host=$location$ sourcetype=Logs FinalState=TERMINAL OR FinalState=COMPLETE|
| bin _time span=1mon
| eval Time=strftime(_time,"%b-%Y")
| chart count over FinalState by Time

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

lfedak_splunk · ‎09-15-2017

Hey @pranaynanda, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

niketn · ‎09-15-2017

[Updated Answer]
With further details for trellis:
Please use the following option to split by Time field which should show Month as Trellis Pie Chart Header

    <option name="trellis.splitBy">Time</option>

PS: I have corrected span to 1mon as per suggestion and strftime() from %m to %b to show month abbreviation instead of month as number.

@pranaynanda, Try the following:

index="secretindex" host=$location$ sourcetype=Logs FinalState=TERMINAL OR FinalState=COMPLETE|
| bin _time span=1mon
| eval Time=strftime(_time,"%b-%Y")
| chart count over FinalState by Time

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

pranaynanda · ‎09-20-2017

You Rock! Thanks!

DalJeanis · ‎09-15-2017

Save yourself some grief and train your users to look at it this way...

 | eval Time=strftime(_time,"%Y-%m")

pranaynanda · ‎09-17-2017

It's not the format of time that I wish to change. I want the charts to look in such a way that the header says the Month and then below each month it splits the respective pie by FinalState.

Is such a thing even possible?

DalJeanis · ‎09-20-2017

@pranaynanda - Since @niketnilay had you handled, I just made more of a plain comment than a solution. You will save yourself a LOT of grief if you just get in the habit of using that "%Y-%m" date format.

pranaynanda · ‎09-21-2017

I appreciate your concern. I can't simply understand how will that help me? Is something bad about the format I posted in?

DalJeanis · ‎09-21-2017

@pranaynanda - When you put year, month, day and 24-hour format time then the human-readable values can be sorted or directly compared against each other, without changing back to epoch format. That saves massive amounts of programming.

Also, "08/11/1975" is ambiguous across cultures and locations, whereas "1975-08-11" or "1975-11-08", whichever one of those was meant, cannot be mistaken for each other. So you eliminate work and confusion at the same time.

pranaynanda · ‎09-22-2017

Interesting. I understand now. I used the "%B %Y" format and then used the trellis view. Maybe there's more processing involved but there's no confusion here I guess. Thank you for the great advice btw. I can use it in other charts that I have. I never thought that reading date could be such ambiguous across cultures and boundaries. Thank you for pointing that out.

DalJeanis · ‎09-25-2017

@pranaynanda - Yes, it's a major cause for confusion in multinationals. Obviously, the full written-out month name is not an issue that way, but it cannot be sorted.

pranaynanda · ‎11-06-2017

Apologies for picking up this old topic and not listening to you previously but I get your concern now. Can you help me sort it while letting me visually keep the "%B %Y" format? "%Y-%m" works but I think %B %Y is visually more appealing.

niketn · ‎11-07-2017

@pranaynanda, Trellis Aggregate By field expects query with a by clause to be final transforming command. So, while it is possible to keep "%b %Y" format sorted using SPL. It can not be done directly via stats by clause. Which implies Trellis will loose its Aggregate By option.

So would the following suffice the need? It will retain both digit month for sorting and abbreviated Month name for clarity.

 <YourBaseSearch>
| bin _time span=1mon
| eval Time=strftime(_time,"%Y-%m (%b)")
| chart count over FinalState by Time

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎09-20-2017

@pranaynanda, sorry for not responding to this earlier. I have updated my answer, you should be able to do what you need through trellis option as mentioned in the updated answer: <option name="trellis.splitBy">Time</option>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jluo_splunk · ‎09-15-2017

You'll have to modify the span such that it reads 1mon and not 1m since m is reserved for minute.

How can I invert my pie chart?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!