Splunk Search

What search string do I need to get Pie Graph by Field Value?

New Member

I don't know why this is so hard, but I'm having issues creating a simple pie chart. I'm relatively new to Splunk and I am still learning the ropes. Here's what I'm trying to do:

I want to create a simple pie chart that shows the percentage of return codes in a given time frame. So, for example, if there are 3 return codes (0, 1012, 1017), and there is a combined total of 1000 instances in the past week. 800 for return_code 0, 150 for return_code 1012, and 50 for return_code 1017. I want the pie chart to display all 3 return codes, with 80% of the pie being return_code 0, 15% being return_code 1012, and 5% being the remaining return_code 1017.

I've flipped through the documentation so far and see a couple different things you can do with the "chart" command, but can't seem to get it to work towards my issue. So far, I have the following

index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" | chart 

//no idea what should follow

What search string do I need to get this to work? It should be noted that I'm not looking for just these three particular return_codes, but rather ANY and ALL return_codes for the duration of time (whether it is 3 return_codes or 9 return_codes). I would greatly appreciate any help. Thanks!

0 Karma
1 Solution

Path Finder

try

index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" | stats count by RETURN_CODE

and then select the Visualisation tab, and then select Pie chart

Let me know if that helps,

Philip

View solution in original post

0 Karma

Path Finder

try

index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" | stats count by RETURN_CODE

and then select the Visualisation tab, and then select Pie chart

Let me know if that helps,

Philip

View solution in original post

0 Karma

New Member

This actually works perfectly. Just a quick follow up question: how would I rename those fields that returned? For example, rather than seeing a pie chart with "1017" displayed, it would instead say "Failed Login Attempts". I'd like to do this for some, but not all of the fields. Thanks so much for your help, by the way!

0 Karma

Path Finder

no problem!

You could use an eval statement with a case clause, something like:

index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" |eval RETURN_CODE=case(RETURN_CODE=="1017","Failed Login Attempts", RETURN_CODE=="1012","Another message",1==1,"other")|stats count by RETURN_CODE

etc.

See http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/ConditionalFunctions#case.28X... for more info on the case statement

Hope that helps

0 Karma

Legend

@philipmattocks, for better performance, it should be the other way around. Perform stats by RETURN_CODE numeric and then convert to Description. This way instead of applying eval on all events it will be applied only for specific row (depending on number of RETURN_CODEs)

 index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" 
 |stats count by RETURN_CODE
 |eval RETURN_CODE=case(RETURN_CODE=="1017","Failed Login Attempts", RETURN_CODE=="1012","Another message",1==1,"other")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

Thanks again, guys! I was able to get everything working just the way I wanted. I appreciate the help!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!