Show pie chart based on two search queries (append...

mhornste · ‎06-08-2017

Hi,

I have execution times in my index. I want to show statistics of long running queries (e.g. longer than 10 seconds). I'd like to display it in a pie chart.

The following query provides the correct counts, however, the pie chart is not working.

index=rc sourcetype=OtcsRemoteCache Operation=1001 Time_ms >= 10000|  stats count
    |  rename count as "Long Running Requests"
    |  append [search index=rc sourcetype=OtcsRemoteCache Operation=1001 Time_ms <10000|  stats count
    |  rename count as "Normal Requests"]

I know that I have to use "Stats count by comparison_category" but I can't make it work.

Any suggestions please?

cmerriman · ‎06-08-2017

can you try something like this:

index=rc sourcetype=OtcsRemoteCache Operation=1001|eval execTime=if(Time_ms>=10000,"Long Running Requests","Normal Requests")|stats count by execTime

niketn · ‎06-08-2017

You should be able to do this with single query:

index=rc sourcetype=OtcsRemoteCache Operation=1001 Time_ms=*
| eval RequestType=if(Time_ms>=10000,"Long Running Requests","Normal Requests")
| stats count by RequestType

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Show pie chart based on two search queries (append)

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Show pie chart based on two search queries (append)

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!