Intersect, Diff and Pie Chart

belka · ‎01-09-2014

I have a very large number of win7 machines. I pulled a CSV file from Active Directory, AD1.csv. I then created another CSV file from the deployment clients DC1.csv. What I want to do is compare the total number of clients with the number reporting in with deployment clients. I want a Pie Chart that is the total number of Win7 machines split between a slice that is the machines with deployment clients and a slice that are the machines without a deployment client.

I was experimenting with | set diff [inputlookup AD1.csv | fields hostname][inputlookup DC1.csv | fields hostname] Where I am stumped is how to make that into a pie chart. Any ideas? Thanks!

somesoni2 · ‎01-09-2014

Try this

|inputlookup AD1.csv | fields hostname | join type=left hostname [|inputlookup DC1.csv | fields hostname | eval hasDC="Y"] | eval hasDC=coalesce(hasDC,"N") | chart count(eval(hasDC="Y")) as HasDC, count(eval(hasDC="N")) as NoDC

Intersect, Diff and Pie Chart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation

Intersect, Diff and Pie Chart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence