Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk bar chart how can i display percentage and total count

Cheng2Ready
Path Finder
Friday 
index=test   pod=poddy1 "severity"="INFO"    "message"="IamExample*"

| rex field=message "IamExample(?<total>).*"
| rex field=message ".*ACCOUNT<accountreg>.*):"
| rex field=message ".*Login(?<login>.*)"
| rex field=message ".*Profile(?<profile>"
| rex field=message ".*Card(?<card>)"
| rex field=message ".*Online(?<online>) "

| stats count(total) as "Total" count(accountreg) as "Account" count(login) as "Login" count(profile) as "Profile" count(card) as "Card" count(online) as "Online "


Choosing a bar chart to display has "Total" show on the left hand side is there a way remove it?

Cheng2Ready_1-1732903835512.png
also hovering over the chart its showing the count
is there a way to make it display like this example below?

field, count , percentage we want to divide Account , Login , Profile, Online it by Total that we have above 

Cheng2Ready_2-1732903909165.png

 

 

 

 




Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
Friday

The Total on the y-axis comes from the first column listed in your results, so replace that with a column with a space for a name

| rex field=message "IamExample(?<total>).*"
| rex field=message ".*ACCOUNT(?<accountreg>.*):"
| rex field=message ".*Login(?<login>.*)"
| rex field=message ".*Profile(?<profile>)"
| rex field=message ".*Card(?<card>)"
| rex field=message ".*Online(?<online>) "

| stats count(total) as "_Total" count(accountreg) as "Account" count(login) as "Login" count(profile) as "Profile" count(card) as "Card" count(online) as "Online"
| foreach *
    [| eval name="<<FIELD>>: ".round(100*<<FIELD>>/_Total, 2)."%"
    | eval {name} = <<FIELD>>]
| table " " Account:* Login:* Profile:* Card:* Online:*

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
Friday

The Total on the y-axis comes from the first column listed in your results, so replace that with a column with a space for a name

| rex field=message "IamExample(?<total>).*"
| rex field=message ".*ACCOUNT(?<accountreg>.*):"
| rex field=message ".*Login(?<login>.*)"
| rex field=message ".*Profile(?<profile>)"
| rex field=message ".*Card(?<card>)"
| rex field=message ".*Online(?<online>) "

| stats count(total) as "_Total" count(accountreg) as "Account" count(login) as "Login" count(profile) as "Profile" count(card) as "Card" count(online) as "Online"
| foreach *
    [| eval name="<<FIELD>>: ".round(100*<<FIELD>>/_Total, 2)."%"
    | eval {name} = <<FIELD>>]
| table " " Account:* Login:* Profile:* Card:* Online:*
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...