Splunk Search

rename boolean value in a pie chart

thenormalone
Path Finder

I have a boolean field which I get from the search, now when I do a stats count by boolean_field, the pie chart will show boolean_field=true and boolean_field=false.

How do I rename these values to something custom/more meaningful?

Labels (2)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

@thenormalone wrote:

apologies but I should've mentioned that I tried that. After that if I do a stats command on it, the pie chart only shows one of the values


This is how you can illustrate your data  and output in a sanitized fashion:

 

 

 

<your search>
| top 20 # limit output for illustration
| rename <your boolean field name> as boolean_field # rename to generic name

 

 

 

(because  the field has only two generic values, no sanitization needed.)  After this, you can use the generic field name to illustrate how the two pie charts differ. (Make sure to illustrate your generic test  code.

On my side, I generate a generic data set with the following simulator

 

 

 

| makeresults count=50 # this part simulates data
| eval boolean_field = if((random() % 5 == 0 OR random() % 3 ==0), "false", "true")

 

 

 

Sample data look like this

_timeboolean_field
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58false
... 

As expected, a simple piechart will show true and false

simplepie.png

But if I rename my values using

 

 

| eval boolean_field = if(boolean_field == "true", "foo", "bar")

 

 

the piechart shows two values, foo and bar, not a  single value. (Unless the input data happen to contain only one of true or  false.)

renamedpie.png

This  can be corroborated by examining the  "Statistics"  tab under the search box.

boolean_fieldcount
bar20
foo30

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

Something like

| eval boolean_field = if(boolean_field == "true", "true meaning", "false meaning")
0 Karma

thenormalone
Path Finder

apologies but I should've mentioned that I tried that. After that if I do a stats command on it, the pie chart only shows one of the values

0 Karma

yuanliu
SplunkTrust
SplunkTrust

@thenormalone wrote:

apologies but I should've mentioned that I tried that. After that if I do a stats command on it, the pie chart only shows one of the values


This is how you can illustrate your data  and output in a sanitized fashion:

 

 

 

<your search>
| top 20 # limit output for illustration
| rename <your boolean field name> as boolean_field # rename to generic name

 

 

 

(because  the field has only two generic values, no sanitization needed.)  After this, you can use the generic field name to illustrate how the two pie charts differ. (Make sure to illustrate your generic test  code.

On my side, I generate a generic data set with the following simulator

 

 

 

| makeresults count=50 # this part simulates data
| eval boolean_field = if((random() % 5 == 0 OR random() % 3 ==0), "false", "true")

 

 

 

Sample data look like this

_timeboolean_field
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58false
... 

As expected, a simple piechart will show true and false

simplepie.png

But if I rename my values using

 

 

| eval boolean_field = if(boolean_field == "true", "foo", "bar")

 

 

the piechart shows two values, foo and bar, not a  single value. (Unless the input data happen to contain only one of true or  false.)

renamedpie.png

This  can be corroborated by examining the  "Statistics"  tab under the search box.

boolean_fieldcount
bar20
foo30
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...