Splunk Search

How can I invert my pie chart?

Path Finder

I'm trying to create a pie chart in trellis view such that it shows me the number of jobs that ended in terminal or complete state. Right now the chart shows data by state and then divides the pie into months. I want the opposite. I want the headers to display months and the respective pie charts to be divided by state.

alt text

index="secretindex" host=$location$ sourcetype=Logs FinalState=TERMINAL OR FinalState=COMPLETE| timechart count(eval(FinalState="TERMINAL")) as TERMINAL, count(eval(FinalState="COMPLETE")) as COMPLETE span=1month

Please help!!

0 Karma
1 Solution

Legend

[Updated Answer]
With further details for trellis:
Please use the following option to split by Time field which should show Month as Trellis Pie Chart Header

    <option name="trellis.splitBy">Time</option>

PS: I have corrected span to 1mon as per suggestion and strftime() from %m to %b to show month abbreviation instead of month as number.


@pranaynanda, Try the following:

index="secretindex" host=$location$ sourcetype=Logs FinalState=TERMINAL OR FinalState=COMPLETE|
| bin _time span=1mon
| eval Time=strftime(_time,"%b-%Y")
| chart count over FinalState by Time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Splunk Employee
Splunk Employee

Hey @pranaynanda, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma

Legend

[Updated Answer]
With further details for trellis:
Please use the following option to split by Time field which should show Month as Trellis Pie Chart Header

    <option name="trellis.splitBy">Time</option>

PS: I have corrected span to 1mon as per suggestion and strftime() from %m to %b to show month abbreviation instead of month as number.


@pranaynanda, Try the following:

index="secretindex" host=$location$ sourcetype=Logs FinalState=TERMINAL OR FinalState=COMPLETE|
| bin _time span=1mon
| eval Time=strftime(_time,"%b-%Y")
| chart count over FinalState by Time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Path Finder

You Rock! Thanks!

0 Karma

SplunkTrust
SplunkTrust

Save yourself some grief and train your users to look at it this way...

 | eval Time=strftime(_time,"%Y-%m")

Path Finder

It's not the format of time that I wish to change. I want the charts to look in such a way that the header says the Month and then below each month it splits the respective pie by FinalState.

Is such a thing even possible?

0 Karma

SplunkTrust
SplunkTrust

@pranaynanda - Since @niketnilay had you handled, I just made more of a plain comment than a solution. You will save yourself a LOT of grief if you just get in the habit of using that "%Y-%m" date format.

Path Finder

I appreciate your concern. I can't simply understand how will that help me? Is something bad about the format I posted in?

0 Karma

SplunkTrust
SplunkTrust

@pranaynanda - When you put year, month, day and 24-hour format time then the human-readable values can be sorted or directly compared against each other, without changing back to epoch format. That saves massive amounts of programming.

Also, "08/11/1975" is ambiguous across cultures and locations, whereas "1975-08-11" or "1975-11-08", whichever one of those was meant, cannot be mistaken for each other. So you eliminate work and confusion at the same time.

Path Finder

Interesting. I understand now. I used the "%B %Y" format and then used the trellis view. Maybe there's more processing involved but there's no confusion here I guess. Thank you for the great advice btw. I can use it in other charts that I have. I never thought that reading date could be such ambiguous across cultures and boundaries. Thank you for pointing that out.

SplunkTrust
SplunkTrust

@pranaynanda - Yes, it's a major cause for confusion in multinationals. Obviously, the full written-out month name is not an issue that way, but it cannot be sorted.

0 Karma

Path Finder

Apologies for picking up this old topic and not listening to you previously but I get your concern now. Can you help me sort it while letting me visually keep the "%B %Y" format? "%Y-%m" works but I think %B %Y is visually more appealing.

0 Karma

Legend

@pranaynanda, Trellis Aggregate By field expects query with a by clause to be final transforming command. So, while it is possible to keep "%b %Y" format sorted using SPL. It can not be done directly via stats by clause. Which implies Trellis will loose its Aggregate By option.

So would the following suffice the need? It will retain both digit month for sorting and abbreviated Month name for clarity.

 <YourBaseSearch>
| bin _time span=1mon
| eval Time=strftime(_time,"%Y-%m (%b)")
| chart count over FinalState by Time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Legend

@pranaynanda, sorry for not responding to this earlier. I have updated my answer, you should be able to do what you need through trellis option as mentioned in the updated answer: <option name="trellis.splitBy">Time</option>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Splunk Employee
Splunk Employee

You'll have to modify the span such that it reads 1mon and not 1m since m is reserved for minute.

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!