- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know why this is so hard, but I'm having issues creating a simple pie chart. I'm relatively new to Splunk and I am still learning the ropes. Here's what I'm trying to do:
I want to create a simple pie chart that shows the percentage of return codes in a given time frame. So, for example, if there are 3 return codes (0, 1012, 1017), and there is a combined total of 1000 instances in the past week. 800 for return_code 0, 150 for return_code 1012, and 50 for return_code 1017. I want the pie chart to display all 3 return codes, with 80% of the pie being return_code 0, 15% being return_code 1012, and 5% being the remaining return_code 1017.
I've flipped through the documentation so far and see a couple different things you can do with the "chart" command, but can't seem to get it to work towards my issue. So far, I have the following
index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" | chart
//no idea what should follow
What search string do I need to get this to work? It should be noted that I'm not looking for just these three particular return_codes, but rather ANY and ALL return_codes for the duration of time (whether it is 3 return_codes or 9 return_codes). I would greatly appreciate any help. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try
index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" | stats count by RETURN_CODE
and then select the Visualisation tab, and then select Pie chart
Let me know if that helps,
Philip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try
index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" | stats count by RETURN_CODE
and then select the Visualisation tab, and then select Pie chart
Let me know if that helps,
Philip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This actually works perfectly. Just a quick follow up question: how would I rename those fields that returned? For example, rather than seeing a pie chart with "1017" displayed, it would instead say "Failed Login Attempts". I'd like to do this for some, but not all of the fields. Thanks so much for your help, by the way!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no problem!
You could use an eval statement with a case clause, something like:
index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" |eval RETURN_CODE=case(RETURN_CODE=="1017","Failed Login Attempts", RETURN_CODE=="1012","Another message",1==1,"other")|stats count by RETURN_CODE
etc.
See http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/ConditionalFunctions#case.28X... for more info on the case statement
Hope that helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@philipmattocks, for better performance, it should be the other way around. Perform stats by RETURN_CODE numeric and then convert to Description. This way instead of applying eval on all events it will be applied only for specific row (depending on number of RETURN_CODEs)
index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*"
|stats count by RETURN_CODE
|eval RETURN_CODE=case(RETURN_CODE=="1017","Failed Login Attempts", RETURN_CODE=="1012","Another message",1==1,"other")
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again, guys! I was able to get everything working just the way I wanted. I appreciate the help!
