Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a piechart visualization with the count of two field values and the sum of both displayed?

zacksoft
Contributor
‎11-13-2017 03:25 AM

I have a query that gives me the count of certain events with keyword 'ab' OR with keyword 'pq'.
The query is like this

host="somehost1" OR "somehost2" OR "somehost3"
("ab" OR "pq")
| eval count_1 = if(like(_raw,"%ab%")
| eval count_2 = if(like(_raw,"%pq%")
| stats count(count_1) as ab_EventCount sum(count_2) as pq_EventCount

This query gives me the event count with keyword 'ab' and keyword 'pq' in a tabular format in the statistics tab.
I wanted a visualization in Pie chart with showing the percentage of ab_EventCount in one slice , pq_Eventcount in another slice out of the total events this query gives us. But when I choose visualization tab it doesn't happen. The pie shows all wrong.
Could anyone guide me ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-13-2017 03:30 AM

Hi zacksoft,
try something like this:

host="somehost1" OR "somehost2" OR "somehost3" ("ab" OR "pq") 
| eval word1=if(like(_raw,"%ab%"),"ab"," "),word2=if(like(_raw,"%pq%"),"pq"," "),word=coalesce(word1,word2)
| stats count by word

If it doesn't run put a char (e.g."-") in the eval if)
and then shot them in a pie.
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-13-2017 04:47 AM

Since there is already an accepted answer, I am adding searchmatch() example which is used for searching pattern within raw data.

 host="somehost1" OR "somehost2" OR "somehost3" ("ab" OR "pq")
| stats count(eval(searchmatch("ab"))) as ab_count count(eval(searchmatch("pq"))) as pq_count
| transpose

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-13-2017 03:51 AM

HI
Can you please try this one?

host="somehost1" OR "somehost2" OR "somehost3" ("ab" OR "pq") | eval count_1 = if(like(_raw,"%ab%")) | eval count_2 = if(like(_raw,"%pq%")) | stats count(count_1) as ab_EventCount sum(count_2) as pq_EventCount  | transpose

I have just added | transpose to your search.

Thanks

Reply
Solved! Jump to solution

zacksoft
Contributor
‎11-13-2017 04:03 AM

Thanks kamlesh. The solution you provided works 🙂

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-13-2017 04:07 AM

Welcome @zacksoft,

Please accept @cusello or my answer and upvote the comments that help you to close this question.

Happy Splunking

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-13-2017 03:30 AM

Hi zacksoft,
try something like this:

host="somehost1" OR "somehost2" OR "somehost3" ("ab" OR "pq") 
| eval word1=if(like(_raw,"%ab%"),"ab"," "),word2=if(like(_raw,"%pq%"),"pq"," "),word=coalesce(word1,word2)
| stats count by word

If it doesn't run put a char (e.g."-") in the eval if)
and then shot them in a pie.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎11-13-2017 04:00 AM

Thanks Giuseppe. The solution you provided works like a charm.

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎11-13-2017 03:48 AM

@Anonymous
Hi Giuseppe- Thank you . this works.
However, If I am to search two words instead of just ab, how would I tweak the string.
Example : I want (ab AND null1) to be counted and (pq AND null2) to be counted.
Is the following line correct (syntax wise) ?

| eval word=case(like(_raw,"%ab%") AND like(_raw,"%null1%),"ab",like(_raw,"%pq%") AND like(_raw,"%null2%),"pq")
| stats count by word

The above gives me Error in 'eval' command: The expression is malformed.

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...