Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get pie chart average value in three slices?

alakdam
Path Finder
‎10-05-2022 10:03 PM

Short description:
When a consumer orders groceries online, I provide the picker—the individual who picked the foods based on the order—with an estimated box that will be needed for that order and that data is stored in a database. The functionality of the Estimated box generally works, although occasionally it fluctuates. It may be greater or lesser. Actual box use data will be stored in data if the picker adds more or fewer boxes than necessary for the order. Actual data box never store in database if approximated functionality works.

Expected output: 

1. I want find out how much Percentage/Average of actual values missingI am not sure how to evaluate null/defined Actual boxes.

This is my attempt not sure is it correct:

 

 

 

| spath path=data{}.actual_totes{}.finalBoxAmount output=finalBoxes
| spath path=data{}.estimated_totes{}.box output=estimatedBox 
| stats sum(estimatedBox) as totalEstimatedBox, sum(finalBoxes) as totalFinalBoxes
| eval diff =( totalFinalBoxes - totalEstimatedBox) * 100 / totalFinalBoxes
| table diff

 

 

 


This is my data splunk data table image. As you can see in splunk table  some my actual boxes value is null/undefined/emptyObject(not sure).  In splunk JSON, this is how I get actual_totes: { }

  data: { 
     actual_totes: { },
     estimated_totes: { 
        box: 4
     }
   }



Screenshot 2022-10-06 at 7.53.46.png

PS: I'm a rookie with Splunk, thus my grasp of its syntax is limited. Please walk me through how to display the value in a PIE chart. Pie chat had the following value: Estimated Boxes, Real Boxes used, and missing actual numbers in Percentage %.

Thank you.

Labels (4)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-06-2022 03:48 PM

@alakdam Handling missing values is quite easy: just use if with isnull.  But you want to ask whether you need to calculate percentage yourself.  For starters, real values AND percentage they represent on the same piechart is nonsensical.  Your piechart either have real values so they make up a whole pie, or have percentages so they make up a whole pie. (A side note: negative values are nonsensical in piecharts so your base should be estimated boxes.)

Understandably, you want the user to see actual values, not just percentage.  In Splunk, you can simply calculate real values; Splunk's piechart visualization will supply percentage.  For example,

| stats sum(data.estimated_totes.box) as totalEstimatedBox, sum(data.actual_totes.FinalBoxAmount) as totalFinalBoxes
| eval totalFinalBoxes = if(isnull(totalFinalBoxes), 0, totalFinalBoxes)
| eval diff = (totalEstimatedBox - totalFinalBoxes)
| fields - totalEstimatedBox
| eval series = "value" ``` this is just for prettier header ```
| transpose header_field=series column_name=key

Your singular sample data will render

boxes.png

Note: you do not need separate spath to retrieve values.  If your raw events are Python, JSON should be already been extracted into dot (".") annotated paths so the above should work without spath.  If not, use a single spath to extract before stats, e.g.,

| spath input=JSONdata

 

View solution in original post

Tags (2)
0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-06-2022 03:48 PM

@alakdam Handling missing values is quite easy: just use if with isnull.  But you want to ask whether you need to calculate percentage yourself.  For starters, real values AND percentage they represent on the same piechart is nonsensical.  Your piechart either have real values so they make up a whole pie, or have percentages so they make up a whole pie. (A side note: negative values are nonsensical in piecharts so your base should be estimated boxes.)

Understandably, you want the user to see actual values, not just percentage.  In Splunk, you can simply calculate real values; Splunk's piechart visualization will supply percentage.  For example,

| stats sum(data.estimated_totes.box) as totalEstimatedBox, sum(data.actual_totes.FinalBoxAmount) as totalFinalBoxes
| eval totalFinalBoxes = if(isnull(totalFinalBoxes), 0, totalFinalBoxes)
| eval diff = (totalEstimatedBox - totalFinalBoxes)
| fields - totalEstimatedBox
| eval series = "value" ``` this is just for prettier header ```
| transpose header_field=series column_name=key

Your singular sample data will render

boxes.png

Note: you do not need separate spath to retrieve values.  If your raw events are Python, JSON should be already been extracted into dot (".") annotated paths so the above should work without spath.  If not, use a single spath to extract before stats, e.g.,

| spath input=JSONdata

 

Tags (2)
0 Karma
Reply
Solved! Jump to solution

alakdam
Path Finder
‎10-06-2022 09:37 PM

Thank you very much for advice and query. How Can I rename the totalFinalBoxes to Total final boxes

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-07-2022 12:26 AM

The command is, ahem, rename😉

| rename totalFinalBoxes AS "Total final boxes"

 

Tags (1)
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...