Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a piechart visualization with the count of two field values and the sum of both displayed?

zacksoft
Contributor
‎11-13-2017 03:25 AM

I have a query that gives me the count of certain events with keyword 'ab' OR with keyword 'pq'.
The query is like this

host="somehost1" OR "somehost2" OR "somehost3"
("ab" OR "pq")
| eval count_1 = if(like(_raw,"%ab%")
| eval count_2 = if(like(_raw,"%pq%")
| stats count(count_1) as ab_EventCount sum(count_2) as pq_EventCount

This query gives me the event count with keyword 'ab' and keyword 'pq' in a tabular format in the statistics tab.
I wanted a visualization in Pie chart with showing the percentage of ab_EventCount in one slice , pq_Eventcount in another slice out of the total events this query gives us. But when I choose visualization tab it doesn't happen. The pie shows all wrong.
Could anyone guide me ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-13-2017 03:30 AM

Hi zacksoft,
try something like this:

host="somehost1" OR "somehost2" OR "somehost3" ("ab" OR "pq") 
| eval word1=if(like(_raw,"%ab%"),"ab"," "),word2=if(like(_raw,"%pq%"),"pq"," "),word=coalesce(word1,word2)
| stats count by word

If it doesn't run put a char (e.g."-") in the eval if)
and then shot them in a pie.
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-13-2017 04:47 AM

Since there is already an accepted answer, I am adding searchmatch() example which is used for searching pattern within raw data.

 host="somehost1" OR "somehost2" OR "somehost3" ("ab" OR "pq")
| stats count(eval(searchmatch("ab"))) as ab_count count(eval(searchmatch("pq"))) as pq_count
| transpose

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-13-2017 03:51 AM

HI
Can you please try this one?

host="somehost1" OR "somehost2" OR "somehost3" ("ab" OR "pq") | eval count_1 = if(like(_raw,"%ab%")) | eval count_2 = if(like(_raw,"%pq%")) | stats count(count_1) as ab_EventCount sum(count_2) as pq_EventCount  | transpose

I have just added | transpose to your search.

Thanks

Reply
Solved! Jump to solution

zacksoft
Contributor
‎11-13-2017 04:03 AM

Thanks kamlesh. The solution you provided works 🙂

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-13-2017 04:07 AM

Welcome @zacksoft,

Please accept @cusello or my answer and upvote the comments that help you to close this question.

Happy Splunking

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-13-2017 03:30 AM

Hi zacksoft,
try something like this:

host="somehost1" OR "somehost2" OR "somehost3" ("ab" OR "pq") 
| eval word1=if(like(_raw,"%ab%"),"ab"," "),word2=if(like(_raw,"%pq%"),"pq"," "),word=coalesce(word1,word2)
| stats count by word

If it doesn't run put a char (e.g."-") in the eval if)
and then shot them in a pie.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎11-13-2017 04:00 AM

Thanks Giuseppe. The solution you provided works like a charm.

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎11-13-2017 03:48 AM

@Anonymous
Hi Giuseppe- Thank you . this works.
However, If I am to search two words instead of just ab, how would I tweak the string.
Example : I want (ab AND null1) to be counted and (pq AND null2) to be counted.
Is the following line correct (syntax wise) ?

| eval word=case(like(_raw,"%ab%") AND like(_raw,"%null1%),"ab",like(_raw,"%pq%") AND like(_raw,"%null2%),"pq")
| stats count by word

The above gives me Error in 'eval' command: The expression is malformed.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...