Splunk Search

How to show a percentage of the total events in a pie chart

Path Finder

I feel dumb for asking something so simple, but I can't make this work. I'm trying to show a percentage I've calculated as a piechart:

| dbxquery query=stuff | stats count(eval(Start_Date_Time > 
End_Date_Time)) as breach count as total | eval percent=breach/total*100 | eval total=total/total*100 | chart max(percent) over total

As you can see, I calculated both the percent of events where the start time is greater than the end time, and the corresponding total, which, of course is 100%. All I need to do now is show it in a pie chart. I calculated the total percent due to the chart only showing a solid block of color for my percent. I was hoping that I could use it to show the percentage correctly, but I was wrong on that.

Also, I can't use top; I need to consider all the events, not just the top values.

0 Karma
1 Solution

Esteemed Legend

Try this:

| dbxquery query=stuff 
| stats count(eval(Start_Date_Time > End_Date_Time)) as breach count as total
| eval breach=100*breach/total
| eval non-breach=100-breach
| transpose

View solution in original post

Esteemed Legend

Try this:

| dbxquery query=stuff 
| stats count(eval(Start_Date_Time > End_Date_Time)) as breach count as total
| eval breach=100*breach/total
| eval non-breach=100-breach
| transpose

View solution in original post

Path Finder

This actually works very well. I just made a minor modification to get rid of the total field.

 | dbxquery query=stuff 
 | stats count(eval(Start_Date_Time > End_Date_Time)) as breach count as total
 | eval breach=100*breach/total
 | eval non-breach=100-breach
 | transpose

Now I'm just going to figure out how to show count with it. Thank you

0 Karma

Esteemed Legend

If you don't do the percentage and just show raw values for breach and non-breach it should show both count and percent.

0 Karma

SplunkTrust
SplunkTrust

Pie chart requires a by-clause

Try

| chart max(percent) by something

You don't even have to calculate the percent

This might work:

| stats max(breach) by _time

You need your data to end up with multiple rows and more than one column like this:

hostname,breach_count
HostA,25
HostB,75

Then | stats max(breach_count) by hostname
would have a pie chart where the total is 100 and HostA would be 25% and HostB would be 75%.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!