Re: Pie chart merging two sources

avgilbeyzz · ‎12-21-2020

I have a table that shows the number of missing patches for our servers. I am trying to create a pie chart that will show what % of all of our servers are missing patches. I have tried entering a lookup file that has a list of all our servers, and also added another sourcetype with that same list. I can't seems to figure out how I can combine the two so I can view the list of servers that need a patch against the total list of servers we have.

renjith_nair · ‎12-21-2020

Use the lookup to store desired list of servers
Search for events where the patching is complete
Compare the servers in the event against the lookup entries

Here is a run anywhere example

|makeresults|eval country="Germany Australia"|makemv country|mvexpand country
|stats count by country
|inputlookup geo_attr_countries.csv append=true
|fillnull count value=0
|stats sum(count) as count by country

Here those countries which are in the events (makeresults) will have a count 1 and others 0. In your case, you may use it to differentiate between patched and unpatched and then find %

---
What goes around comes around. If it helps, hit it with Karma 🙂

Pie chart merging two sources

chart

join

stats

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Join the Conversation