Solved: Re: How do I create a piechart visualization with ...

zacksoft · ‎11-13-2017

I have a query that gives me the count of certain events with keyword 'ab' OR with keyword 'pq'.
The query is like this

host="somehost1" OR "somehost2" OR "somehost3"
("ab" OR "pq")
| eval count_1 = if(like(_raw,"%ab%")
| eval count_2 = if(like(_raw,"%pq%")
| stats count(count_1) as ab_EventCount sum(count_2) as pq_EventCount

This query gives me the event count with keyword 'ab' and keyword 'pq' in a tabular format in the statistics tab.
I wanted a visualization in Pie chart with showing the percentage of ab_EventCount in one slice , pq_Eventcount in another slice out of the total events this query gives us. But when I choose visualization tab it doesn't happen. The pie shows all wrong.
Could anyone guide me ?

gcusello · ‎11-13-2017

Hi zacksoft,
try something like this:

host="somehost1" OR "somehost2" OR "somehost3" ("ab" OR "pq") 
| eval word1=if(like(_raw,"%ab%"),"ab"," "),word2=if(like(_raw,"%pq%"),"pq"," "),word=coalesce(word1,word2)
| stats count by word

If it doesn't run put a char (e.g."-") in the eval if)
and then shot them in a pie.
Bye.
Giuseppe

View solution in original post

niketn · ‎11-13-2017

Since there is already an accepted answer, I am adding searchmatch() example which is used for searching pattern within raw data.

 host="somehost1" OR "somehost2" OR "somehost3" ("ab" OR "pq")
| stats count(eval(searchmatch("ab"))) as ab_count count(eval(searchmatch("pq"))) as pq_count
| transpose

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kamlesh_vaghela · ‎11-13-2017

HI
Can you please try this one?

host="somehost1" OR "somehost2" OR "somehost3" ("ab" OR "pq") | eval count_1 = if(like(_raw,"%ab%")) | eval count_2 = if(like(_raw,"%pq%")) | stats count(count_1) as ab_EventCount sum(count_2) as pq_EventCount  | transpose

I have just added | transpose to your search.

Thanks

zacksoft · ‎11-13-2017

Thanks kamlesh. The solution you provided works 🙂

kamlesh_vaghela · ‎11-13-2017

Welcome @zacksoft,

Please accept @cusello or my answer and upvote the comments that help you to close this question.

Happy Splunking

gcusello · ‎11-13-2017

Hi zacksoft,
try something like this:

host="somehost1" OR "somehost2" OR "somehost3" ("ab" OR "pq") 
| eval word1=if(like(_raw,"%ab%"),"ab"," "),word2=if(like(_raw,"%pq%"),"pq"," "),word=coalesce(word1,word2)
| stats count by word

If it doesn't run put a char (e.g."-") in the eval if)
and then shot them in a pie.
Bye.
Giuseppe

zacksoft · ‎11-13-2017

Thanks Giuseppe. The solution you provided works like a charm.

zacksoft · ‎11-13-2017

@cusello
Hi Giuseppe- Thank you . this works.
However, If I am to search two words instead of just ab, how would I tweak the string.
Example : I want (ab AND null1) to be counted and (pq AND null2) to be counted.
Is the following line correct (syntax wise) ?

| eval word=case(like(_raw,"%ab%") AND like(_raw,"%null1%),"ab",like(_raw,"%pq%") AND like(_raw,"%null2%),"pq")
| stats count by word

The above gives me Error in 'eval' command: The expression is malformed.

How do I create a piechart visualization with the count of two field values and the sum of both displayed?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk