Splunk Search
Highlighted

Pie Chart max value vs active value

Contributor

I want to create a pie chart that has a max value of 22000 (This is hard-coded in) then I have a variable list of Mac_Addresses that I want to total up and compare it to the 22000 (So like 19000/22000...14000/22000..17500/22000)

index=nitro_prod_store|rename mac as Mac_Address | stats count by Mac_Address as ActiveDevices |eval TotalCount = 22000|fields TotalCount ActiveDevices

alt text

0 Karma
Highlighted

Re: Pie Chart max value vs active value

Super Champion

what are you tryin gto rename as ActiveDevices? count or Mac_Address? the as ActiveDevices should go after count if you're renaming that. and you want the total of all Mac_Addresses divided by TotalCount?

try this:

index=nitro_prod_store|rename mac as Mac_Address | stats count as ActiveDevices by Mac_Address|stats sum(ActiveDevices) as ActiveDevices|eval TotalCount = 22000|fields TotalCount ActiveDevices
0 Karma
Highlighted

Re: Pie Chart max value vs active value

SplunkTrust
SplunkTrust

Give this a try.

index=nitro_prod_store| stats count as ActiveDevices by mac |rename mac as Mac_Address | appendpipe [| stats sum(ActiveDevices) as ActiveDevices | eval Mac_Address=ActiveDevices."/22000"| eval ActiveDevices =22000-ActiveDevices ]
0 Karma
Highlighted

Re: Pie Chart max value vs active value

SplunkTrust
SplunkTrust

Run anywhere sample of one easy way to do it...

| makeresults | eval ActiveDevices=17500
| rename COMMENT as "The above line just creates one test data record like your stats output."

| rename COMMENT as "This next section takes your stats output and creates one record for Active, one for Inactive."
| eval mycount = mvappend("Active=".ActiveDevices, "Inactive=".tonumber(22000-ActiveDevices)) 
| mvexpand mycount 
| rex field=mycount "(?<status>[^=]*)=(?<count>.*)"
| table status count

| rename COMMENT as "This renames the active status to have your desired format."
| rename COMMENT as "This could be done inside the first eval, but it would make the code less readable."
| eval status=if(status="Active",count."/22500 Active",status)

...or, if it's the "Inactive" slice that you want labeled with the "Active" numbers...

| eval status=if(status="Inactive",count."/22500",status)

View solution in original post

0 Karma
Highlighted

Re: Pie Chart max value vs active value

Contributor

Thank you, this was incredibly helpful!

0 Karma
Highlighted

Re: Pie Chart max value vs active value

SplunkTrust
SplunkTrust

Glad to oblige.

0 Karma