Solved: Re: What search string do I need to get Pie Graph ...

jroes014 · ‎01-29-2018

I don't know why this is so hard, but I'm having issues creating a simple pie chart. I'm relatively new to Splunk and I am still learning the ropes. Here's what I'm trying to do:

I want to create a simple pie chart that shows the percentage of return codes in a given time frame. So, for example, if there are 3 return codes (0, 1012, 1017), and there is a combined total of 1000 instances in the past week. 800 for return_code 0, 150 for return_code 1012, and 50 for return_code 1017. I want the pie chart to display all 3 return codes, with 80% of the pie being return_code 0, 15% being return_code 1012, and 5% being the remaining return_code 1017.

I've flipped through the documentation so far and see a couple different things you can do with the "chart" command, but can't seem to get it to work towards my issue. So far, I have the following

index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" | chart

//no idea what should follow

What search string do I need to get this to work? It should be noted that I'm not looking for just these three particular return_codes, but rather ANY and ALL return_codes for the duration of time (whether it is 3 return_codes or 9 return_codes). I would greatly appreciate any help. Thanks!

philipmattocks · ‎01-29-2018

try

index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" | stats count by RETURN_CODE

and then select the Visualisation tab, and then select Pie chart

Let me know if that helps,

Philip

View solution in original post

philipmattocks · ‎01-29-2018

try

index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" | stats count by RETURN_CODE

and then select the Visualisation tab, and then select Pie chart

Let me know if that helps,

Philip

jroes014 · ‎01-29-2018

This actually works perfectly. Just a quick follow up question: how would I rename those fields that returned? For example, rather than seeing a pie chart with "1017" displayed, it would instead say "Failed Login Attempts". I'd like to do this for some, but not all of the fields. Thanks so much for your help, by the way!

philipmattocks · ‎01-29-2018

no problem!

You could use an eval statement with a case clause, something like:

index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" |eval RETURN_CODE=case(RETURN_CODE=="1017","Failed Login Attempts", RETURN_CODE=="1012","Another message",1==1,"other")|stats count by RETURN_CODE

etc.

See http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/ConditionalFunctions#case.28X... for more info on the case statement

Hope that helps

niketn · ‎01-29-2018

@philipmattocks, for better performance, it should be the other way around. Perform stats by RETURN_CODE numeric and then convert to Description. This way instead of applying eval on all events it will be applied only for specific row (depending on number of RETURN_CODEs)

 index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" 
 |stats count by RETURN_CODE
 |eval RETURN_CODE=case(RETURN_CODE=="1017","Failed Login Attempts", RETURN_CODE=="1012","Another message",1==1,"other")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jroes014 · ‎01-30-2018

Thanks again, guys! I was able to get everything working just the way I wanted. I appreciate the help!

What search string do I need to get Pie Graph by Field Value?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!