Splunk Search

Pie Chart report with two field counts

Engager

Hi Cloud of wisdom 🙂

I am starting with splunk> , and I am stucked trying to create a simple report. Basically, I have a set of IIS log files, and I am trying to create a pie chart based on the number of events IPV6 vs IPV4

I do already have the search, but I am struggling trying to create the pie chart. I went through the documentation, but I am not able to see it clearly of to do it.

This is my search:

source="C:\wamp\logipv6\." | rex field=c_ip "(?[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})" | rex field=c_ip "(?(([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5]).){3}([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5]))"

I have create two fields, ipv6 and ipv4. The search works like a charm, but I am not able to create that simple pie chart with the count of those fields on it.

would you mind to help me with this issue?

Thanks in advance!

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

It seems like what you want is a pie chart which shows two values: the count of ipv4 addresses, and the count of ipv6 address, correct? To do that, you'll need to end up with something analogous to a single field which reflects that. There are quite a few ways to do this, so I'll just throw this one out there:

what_you_have | stats count(ipv4) as ipv4 count(ipv6) as ipv6 | transpose

The various charts are expecting some standard columnar output from your search. If you remove the "transpose" you'll see that you end up with a single row with 2 columns (value, value). Adding the transpose gives you 2 columns (label, value), which is what a pie chart wants. You could also do something like this to create a new field to count against:

what_you_have | eval type=case(isnotnull(ipv4), "ipv4", isnotnull(ipv6), "ipv6") | stats count by type

Though, it's the weekend and I'm getting different numbers in testing between those, so verify the correctness.

Also, you should lose the rex stuff and do field extractions on your events ( http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample ).

View solution in original post

Splunk Employee
Splunk Employee

It seems like what you want is a pie chart which shows two values: the count of ipv4 addresses, and the count of ipv6 address, correct? To do that, you'll need to end up with something analogous to a single field which reflects that. There are quite a few ways to do this, so I'll just throw this one out there:

what_you_have | stats count(ipv4) as ipv4 count(ipv6) as ipv6 | transpose

The various charts are expecting some standard columnar output from your search. If you remove the "transpose" you'll see that you end up with a single row with 2 columns (value, value). Adding the transpose gives you 2 columns (label, value), which is what a pie chart wants. You could also do something like this to create a new field to count against:

what_you_have | eval type=case(isnotnull(ipv4), "ipv4", isnotnull(ipv6), "ipv6") | stats count by type

Though, it's the weekend and I'm getting different numbers in testing between those, so verify the correctness.

Also, you should lose the rex stuff and do field extractions on your events ( http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample ).

View solution in original post

Engager

Thank you so much, it worked out. I already have my shiny IPV6 pie chart 🙂

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!