Splunk Search

get a count of 2 items and make it in a pie chart

Path Finder

I have a search that looks like:

sourcetype="_sort" earliest=-30d
| dedup host 
| where encrypt_c =2 
| eval encrypt_c=if(encrypt_c != "2","False",encrypt_c) 
| eval encrypt_c=if(encrypt_c = "2","True",encrypt_c) 
| rename host as "Serial Number" encrypt_c as "Encryption Complete"
| table "Serial Number" "Encryption Complete" 

What I really want now is a pie chart that would show the counts of where encrypt_c=2 and where encrypt_c!=2 in a pie chart

Tags (4)
0 Karma
1 Solution

Esteemed Legend

Try this:

sourcetype="_sort" earliest=-30d| dedup host | stats count(eval(encrypt_c =2)) AS encrypted count(eval(encrypt_c!=2)) AS unencrypted | transpose

View solution in original post

0 Karma

Hi,

Test this: sourcetype="_sort" earliest=-30d| dedup host | where encrypt_c =2 |eval encrypt_c=if(encrypt_c != "2","False",encrypt_c) | eval encrypt_c=if(encrypt_c = "2","True",encrypt_c) | rename host as "Serial Number" encrypt_c as "Encryption Complete"| stats count by "Encryption Complete"

After do this, select pie chart visualization.You will see count of this differents values.

0 Karma

Motivator

hi chadman
copy and test this xml code

    <dashboard>
    <label>enter a label</label>
    <description/>
    <row>
    <panel >
    <chart>
    <title>enter a title</title>
    <search>
    <query>
    sourcetype="_sort" earliest=-30d |where encrypt_c =2| dedup host |stats count as "num_encrypt=2"  |appendcols[search sourcetype="_sort" earliest=-30d |where encrypt_c !=2| dedup host |stats count as "num_encrypt!=2"  ]
  |  rename host as "Serial Number" encrypt_c as "Encryption Complete"|table "Serial Number" "Encryption Complete" "num_encrypt=2"  "num_encrypt!=2" 
    </query>
    </search>
    <option name="charting.chart">pie</option>
    </chart>
    </panel>
    </row>
    </dashboard>
0 Karma

Esteemed Legend

Try this:

sourcetype="_sort" earliest=-30d| dedup host | stats count(eval(encrypt_c =2)) AS encrypted count(eval(encrypt_c!=2)) AS unencrypted | transpose

View solution in original post

0 Karma

Path Finder

perfect! That worked great.

0 Karma