Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help for doing a pie chart from 2 subsearch

jip31
Motivator
‎09-27-2019 07:37 AM

hi

I have the search below

`test` 
    [| inputlookup host.csv 
    | table host 
    | rename host as USERNAME ] 
| lookup aps.csv NAME as AP_NAME OUTPUT Building  
| lookup cmdb.csv HOSTNAME as USERNAME output BUILDING_DESCRIPTION
| stats last(Building) as BuildingAP, last(BUILDING_DESCRIPTION) as BuildingIT

What I need is to do a pie chart in order to have the percentage of the events where BuildingAP doesnt match with BuildingIT
So first, I have to write this where condition
After I need to count the number of events corresponding to this where condition and to count also the total number of events (events without the where condition) in order to have 2 news fields which allows doing a pie chart
but pearhaps there is another solution?
For summarize I need a pie chart with 2 label in %, one which calculate the % of events where BuildingAP is not equal to BuildingIT and another which is the equal tio the total % of events - the % the previous count
Is anybody cant help me please??

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎09-27-2019 07:51 AM

Try something like this and change according to what you are trying to compare:

 `test` 
     [| inputlookup host.csv 
     | table host 
     | rename host as USERNAME ] 
| lookup aps.csv NAME as AP_NAME OUTPUT Building  
| lookup cmdb.csv HOSTNAME as USERNAME output BUILDING_DESCRIPTION
| eval isEqual = case(Building = BUILDING_DESCRIPTION,"true","false")
| stats count by isEqual
------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

jip31
Motivator
‎10-01-2019 10:05 PM

Ii there somebody for helping me please??

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-30-2019 10:58 PM

Is anybody has an idea please??

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-27-2019 08:23 AM

Hi jip31,
Try something like this:

`test` 
 [ | inputlookup host.csv 
   | table host 
   | rename host as USERNAME ] 
| lookup aps.csv NAME as AP_NAME OUTPUT Building  
| lookup cmdb.csv HOSTNAME as USERNAME output BUILDING_DESCRIPTION
| search NOT (Building = BUILDING_DESCRIPTION)
| stats count

Bye.
Giuseppe

Reply
Solved! Jump to solution

jip31
Motivator
‎09-29-2019 11:46 PM

Hi
I have no results (pie empty only....)

0 Karma
Reply
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎09-27-2019 07:51 AM

Try something like this and change according to what you are trying to compare:

 `test` 
     [| inputlookup host.csv 
     | table host 
     | rename host as USERNAME ] 
| lookup aps.csv NAME as AP_NAME OUTPUT Building  
| lookup cmdb.csv HOSTNAME as USERNAME output BUILDING_DESCRIPTION
| eval isEqual = case(Building = BUILDING_DESCRIPTION,"true","false")
| stats count by isEqual
------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Solved! Jump to solution

jip31
Motivator
‎09-29-2019 11:43 PM

Hi
it doesnt works
I have the message " Error in 'eval' command: The arguments to the 'case' function are invalid."

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎10-06-2019 03:58 PM

can you try again? there was a typo on the case arguments (missing ")

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...