Splunk Search

How to create pie charts with column values?

ktanwar
Explorer

Hi guys, I am quite new to the Splunk world, pls forgive me for asking a very basic question.

 

So I have a table as following:

job_id     total_passed        total_failed      total_not_run

9                14                            20                         6

10              25                            31                        9

and so on. I want to create a pie chart for different job_ids (lets say 9), with total_passed, total_failed, total_not_run values (14, 20, 6) and total_passed, total_failed, total_not_run as the headers of the chart in Splunk dashboard. how to do it? any help will be deeply appreciated.

 

Labels (5)
Tags (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

So, if you're only looking to show a pie chart for a single job_id, then you could do this

| makeresults
| eval _raw="job_id     total_passed        total_failed      total_not_run
9                14                           20                         6
10              25                            31                        9"
| multikv forceheader=1 

| table job_id total_passed total_failed total_not_run
| where job_id=9 
| transpose 0 header_field=job_id

 The first part up to the '| table..' is creating your example.

The 'where' statement is just filtering only job_id 9

and the transpose statement converts columns to rows, so you will have 3 rows with the names/values and then the pie chart will look like this

bowesmana_0-1664762154372.png

 

View solution in original post

0 Karma

ktanwar
Explorer

Thanks @bowesmana !

0 Karma

ktanwar
Explorer

Thanks a lot @bowesmana. Tried it, works like a charm!

1 follow up question on this, how can I change the colour of the pie chart sections and the name of the fields shown on the pie chart section (instead of total_passed, I would like to see Total Passed).

Thanks a lot mate for helping me out here!

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Here's an example dashboard showing the rename and setting the colours.

In the XML you can see charting.fieldColors option to set the colours

<dashboard>
  <label>tst1</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults
| eval _raw="job_id     total_passed        total_failed      total_not_run
9                14                           20                         6
10              25                            31                        9"
| multikv forceheader=1 

| table job_id total_passed total_failed total_not_run
| where job_id=9 
| rename total_passed as "Total Passed" total_failed as "Total Failed" total_not_run as "Total not Run"
| transpose 0 header_field=job_id</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="charting.fieldColors">
          {"Total Failed": 0xFF0000, "Total not Run": 0xFF9900, "Total Passed":0x009900, "NULL":0xC4C4C0}
        </option>
      </chart>
    </panel>
  </row>
</dashboard>

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

So, if you're only looking to show a pie chart for a single job_id, then you could do this

| makeresults
| eval _raw="job_id     total_passed        total_failed      total_not_run
9                14                           20                         6
10              25                            31                        9"
| multikv forceheader=1 

| table job_id total_passed total_failed total_not_run
| where job_id=9 
| transpose 0 header_field=job_id

 The first part up to the '| table..' is creating your example.

The 'where' statement is just filtering only job_id 9

and the transpose statement converts columns to rows, so you will have 3 rows with the names/values and then the pie chart will look like this

bowesmana_0-1664762154372.png

 

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...