Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

pie chart to show values of two dates to compare

surekhasplunk
Communicator
‎10-18-2019 12:58 AM

Hi,

My requirement is i have given user to choose 2 dates and depending on the dates chosen i need to show pie chart so that the user can see the difference of count from Date1 to Date2.
Here is the query am using now. and i am showing that in two different panels. But it would be better if i can compare using same panel same graph.
Note: Dates are not a range.
Example: Date1 = 20/09/2019 and Date2 = 17/10/2019

index="compliance_sum" | table name result ruleName |appendpipe[lookup netshot.csv Nom as name OUTPUT "Infrastrucure Name" teamInCharge] |table name result ruleName "$infraname$" teamInCharge |search "Infrastrucure Name"="FRA-SWING" |search teamInCharge="$team$"| search result="NONCONFORMING" | eval templateType=macro_template | where result="NONCONFORMING" | stats count by teamInCharge templateType | eval teamInCharge=teamInCharge." : ".count

Thanks

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmaron
Motivator
‎10-18-2019 09:49 AM

Try pulling the date out of the _time field and stripping out everything that isn't those two dates.
You will need to set your earliest/lasted to be outside of your 2 date ranges for it to work.
Then If you add the date to your stats you can use a Trellis split by date to get your two charts

index="compliance_sum" 
| eval date = strftime(_time,"%d/%m/%Y")
| search date=Date1 OR date=Date2
| table name result ruleName 
| appendpipe 
    [ lookup netshot.csv Nom as name OUTPUT "Infrastrucure Name" teamInCharge] 
| table name result ruleName "$infraname$" teamInCharge 
| search "Infrastrucure Name"="FRA-SWING" 
| search teamInCharge="$team$" 
| search result="NONCONFORMING" 
| eval templateType=`macro_template` 
| where result="NONCONFORMING" 
| stats count by teamInCharge templateType date
| eval teamInCharge=teamInCharge." : ".count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kmaron
Motivator
‎10-18-2019 09:49 AM

Try pulling the date out of the _time field and stripping out everything that isn't those two dates.
You will need to set your earliest/lasted to be outside of your 2 date ranges for it to work.
Then If you add the date to your stats you can use a Trellis split by date to get your two charts

index="compliance_sum" 
| eval date = strftime(_time,"%d/%m/%Y")
| search date=Date1 OR date=Date2
| table name result ruleName 
| appendpipe 
    [ lookup netshot.csv Nom as name OUTPUT "Infrastrucure Name" teamInCharge] 
| table name result ruleName "$infraname$" teamInCharge 
| search "Infrastrucure Name"="FRA-SWING" 
| search teamInCharge="$team$" 
| search result="NONCONFORMING" 
| eval templateType=`macro_template` 
| where result="NONCONFORMING" 
| stats count by teamInCharge templateType date
| eval teamInCharge=teamInCharge." : ".count
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...