Solved: How to combine results to display in a pie chart?

Yy4pb · ‎04-06-2022

Hello Community,

I am having issues combining results to display in a pie chart - I tried a few things such as mvappend and it's not working correctly.

I have pulled a list of Domains and want to display them in a pie chart. To get the list of domains and display them in a chart I am using the following:

rex field=netbiosName "^(?<Domain>[^\\\\]+)" | stats count by Domain

This works as intended, but I have a couple of results that come up as both 'domain1' and 'domain1.com' and are displayed in the pie chart. I would like to combine these results, so that the count for both 'domain1' and 'domain1.com' is added together under just 'domain1'

Thanks

ITWhisperer · ‎04-06-2022

| rex field=netbiosName "^(?<Domain>[^\\\\]+)" 
| eval Domain=if(Domain="domain1.com","domain1",Domain)
| stats count by Domain

View solution in original post

ITWhisperer · ‎04-06-2022

Are you looking to keep just the first part of all domains, or drop the last part of all domains, or remove just .com if it exists from all domains, or change a specific set of domain.com to domain?

Yy4pb · ‎04-06-2022

I need to combine the results - so like

14 domain1
10 domain1.com

I need:

24 domain1

ITWhisperer · ‎04-06-2022

| rex field=netbiosName "^(?<Domain>[^\\\\]+)" 
| eval Domain=if(Domain="domain1.com","domain1",Domain)
| stats count by Domain

Yy4pb · ‎04-06-2022

Works exactly as I wanted - thank you!

How to combine results to display in a pie chart?

chart

rex

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience