Splunk Search

How to limit the number of bars in a Bar Chart made with Search and Eval?

ksextonmacb
Path Finder

I have a search that makes a stacked bar chart:

tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | chart count by user, myVar

This search plots number of authentications per user, with each authentication attempt being split between success and failure as the colors in the stacked bar chart.

However, I have a lot of users. I want to limit the number of users this bar chart displays to some number of more active users and lump the rest in other, but documentation I've read on the matter doesn't seem to work when applied. The bins command fails outright, the limit command applies to myVar instead of user no matter where I put it, and the top command overwrites my chart command.

I also tried using a pivot, but it seems I can't compare two tags against each other without getting other tags involved.

I've also tried using a where clause, but that too is applied to myVar. I think this simply isn't possible.

I want the graph pictures below, but with only the bars with the highest count displayed.
alt text

Does anyone know how I could do what I want?

0 Karma
1 Solution

ksextonmacb
Path Finder

This search does the thing that I want. Just change 10 to however many bars you want.

tag=authentication user!=NULL AND (tag=success OR tag=failure) | eval myVar=if(tag=="success","success","failure") | chart count as Count by user, myVar | addtotals fieldname=total | sort -total | fields user failure success | head 10

It looks like the "fields" in my chart become user, success, failure, and a few others instead of the fields in my search. This was what caused me problems.

If anyone knows how to get an "other" bar involved in all of this that'd be swell, but this is good enough.

View solution in original post

0 Karma

ksextonmacb
Path Finder

This search does the thing that I want. Just change 10 to however many bars you want.

tag=authentication user!=NULL AND (tag=success OR tag=failure) | eval myVar=if(tag=="success","success","failure") | chart count as Count by user, myVar | addtotals fieldname=total | sort -total | fields user failure success | head 10

It looks like the "fields" in my chart become user, success, failure, and a few others instead of the fields in my search. This was what caused me problems.

If anyone knows how to get an "other" bar involved in all of this that'd be swell, but this is good enough.

0 Karma

fdi01
Motivator

try like :

tag=authentication user!=NULL | chart count(eval(tag="success")) as "count tag succes",  count(eval(tag!="success")) as "count tag faillures" by   user limit=8 useother="f" usenull="f"
0 Karma

ksextonmacb
Path Finder

The limit is still not being applied to users. This search produces the same graph as in the image with the names of the colors changed.

0 Karma

chimell
Motivator

Hi ksextonmacb
Try this search code

tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | chart count by  myVar , user limit=8 useother="f" usenull="f"
0 Karma

ksextonmacb
Path Finder

This gets me two bars, one for success and one for failure, with the color of each stacked bar corresponding to user. I'm after a bar for each desired user, with the color of each stacked bar corresponding to the value of myVar.

I do think this answer is as close as I'm going to get to what I want, though.

0 Karma

chimell
Motivator
0 Karma

vinitatsky
Communicator

1) To get the tag count per user
tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | stats dc(myVar) as tagCount by user

2) To display in sort order (descending) by tagCount
tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | stats dc(myVar) as tagCount by user | sort -eventCount

3) To display top 10 users (From above search)
tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | stats dc(myVar) as tagCount by user | sort -eventCount | head 10

0 Karma

ksextonmacb
Path Finder

This just gives me a chart telling me if a user has ever succeeded or failed VS succeeded and failed; the values are all either one or two. It doesn't split results over success and failure, and it doesn't give out the number of successes and failures.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...