Show pie chart based on two search queries (append...

mhornste · ‎06-08-2017

Hi,

I have execution times in my index. I want to show statistics of long running queries (e.g. longer than 10 seconds). I'd like to display it in a pie chart.

The following query provides the correct counts, however, the pie chart is not working.

index=rc sourcetype=OtcsRemoteCache Operation=1001 Time_ms >= 10000|  stats count
    |  rename count as "Long Running Requests"
    |  append [search index=rc sourcetype=OtcsRemoteCache Operation=1001 Time_ms <10000|  stats count
    |  rename count as "Normal Requests"]

I know that I have to use "Stats count by comparison_category" but I can't make it work.

Any suggestions please?

cmerriman · ‎06-08-2017

can you try something like this:

index=rc sourcetype=OtcsRemoteCache Operation=1001|eval execTime=if(Time_ms>=10000,"Long Running Requests","Normal Requests")|stats count by execTime

niketn · ‎06-08-2017

You should be able to do this with single query:

index=rc sourcetype=OtcsRemoteCache Operation=1001 Time_ms=*
| eval RequestType=if(Time_ms>=10000,"Long Running Requests","Normal Requests")
| stats count by RequestType

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Show pie chart based on two search queries (append)

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

Show pie chart based on two search queries (append)

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!