Pie chart merging two sources

avgilbeyzz · ‎12-21-2020

I have a table that shows the number of missing patches for our servers. I am trying to create a pie chart that will show what % of all of our servers are missing patches. I have tried entering a lookup file that has a list of all our servers, and also added another sourcetype with that same list. I can't seems to figure out how I can combine the two so I can view the list of servers that need a patch against the total list of servers we have.

renjith_nair · ‎12-21-2020

Use the lookup to store desired list of servers
Search for events where the patching is complete
Compare the servers in the event against the lookup entries

Here is a run anywhere example

|makeresults|eval country="Germany Australia"|makemv country|mvexpand country
|stats count by country
|inputlookup geo_attr_countries.csv append=true
|fillnull count value=0
|stats sum(count) as count by country

Here those countries which are in the events (makeresults) will have a count 1 and others 0. In your case, you may use it to differentiate between patched and unpatched and then find %

---
What goes around comes around. If it helps, hit it with Karma 🙂

Pie chart merging two sources

chart

join

stats

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Pie chart merging two sources

chart

join

stats

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem