Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help for doing a pie chart from 2 subsearch

jip31
Motivator
‎09-27-2019 07:37 AM

hi

I have the search below

`test` 
    [| inputlookup host.csv 
    | table host 
    | rename host as USERNAME ] 
| lookup aps.csv NAME as AP_NAME OUTPUT Building  
| lookup cmdb.csv HOSTNAME as USERNAME output BUILDING_DESCRIPTION
| stats last(Building) as BuildingAP, last(BUILDING_DESCRIPTION) as BuildingIT

What I need is to do a pie chart in order to have the percentage of the events where BuildingAP doesnt match with BuildingIT
So first, I have to write this where condition
After I need to count the number of events corresponding to this where condition and to count also the total number of events (events without the where condition) in order to have 2 news fields which allows doing a pie chart
but pearhaps there is another solution?
For summarize I need a pie chart with 2 label in %, one which calculate the % of events where BuildingAP is not equal to BuildingIT and another which is the equal tio the total % of events - the % the previous count
Is anybody cant help me please??

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎09-27-2019 07:51 AM

Try something like this and change according to what you are trying to compare:

 `test` 
     [| inputlookup host.csv 
     | table host 
     | rename host as USERNAME ] 
| lookup aps.csv NAME as AP_NAME OUTPUT Building  
| lookup cmdb.csv HOSTNAME as USERNAME output BUILDING_DESCRIPTION
| eval isEqual = case(Building = BUILDING_DESCRIPTION,"true","false")
| stats count by isEqual
------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

jip31
Motivator
‎10-01-2019 10:05 PM

Ii there somebody for helping me please??

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-30-2019 10:58 PM

Is anybody has an idea please??

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-27-2019 08:23 AM

Hi jip31,
Try something like this:

`test` 
 [ | inputlookup host.csv 
   | table host 
   | rename host as USERNAME ] 
| lookup aps.csv NAME as AP_NAME OUTPUT Building  
| lookup cmdb.csv HOSTNAME as USERNAME output BUILDING_DESCRIPTION
| search NOT (Building = BUILDING_DESCRIPTION)
| stats count

Bye.
Giuseppe

Reply
Solved! Jump to solution

jip31
Motivator
‎09-29-2019 11:46 PM

Hi
I have no results (pie empty only....)

0 Karma
Reply
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎09-27-2019 07:51 AM

Try something like this and change according to what you are trying to compare:

 `test` 
     [| inputlookup host.csv 
     | table host 
     | rename host as USERNAME ] 
| lookup aps.csv NAME as AP_NAME OUTPUT Building  
| lookup cmdb.csv HOSTNAME as USERNAME output BUILDING_DESCRIPTION
| eval isEqual = case(Building = BUILDING_DESCRIPTION,"true","false")
| stats count by isEqual
------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Solved! Jump to solution

jip31
Motivator
‎09-29-2019 11:43 PM

Hi
it doesnt works
I have the message " Error in 'eval' command: The arguments to the 'case' function are invalid."

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎10-06-2019 03:58 PM

can you try again? there was a typo on the case arguments (missing ")

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...