Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

rename boolean value in a pie chart

thenormalone
Path Finder
‎06-04-2021 04:24 PM

I have a boolean field which I get from the search, now when I do a stats count by boolean_field, the pie chart will show boolean_field=true and boolean_field=false.

How do I rename these values to something custom/more meaningful?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎06-07-2021 09:49 AM
@thenormalone wrote:

apologies but I should've mentioned that I tried that. After that if I do a stats command on it, the pie chart only shows one of the values

This is how you can illustrate your data  and output in a sanitized fashion:

 

 

 

<your search>
| top 20 # limit output for illustration
| rename <your boolean field name> as boolean_field # rename to generic name

 

 

 

(because  the field has only two generic values, no sanitization needed.)  After this, you can use the generic field name to illustrate how the two pie charts differ. (Make sure to illustrate your generic test  code.

On my side, I generate a generic data set with the following simulator

 

 

 

| makeresults count=50 # this part simulates data
| eval boolean_field = if((random() % 5 == 0 OR random() % 3 ==0), "false", "true")

 

 

 

Sample data look like this

_timeboolean_field
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58false
... 

As expected, a simple piechart will show true and false

simplepie.png

But if I rename my values using

 

 

| eval boolean_field = if(boolean_field == "true", "foo", "bar")

 

 

the piechart shows two values, foo and bar, not a  single value. (Unless the input data happen to contain only one of true or  false.)

renamedpie.png

This  can be corroborated by examining the  "Statistics"  tab under the search box.

boolean_fieldcount
bar20
foo30

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎06-04-2021 08:58 PM

Something like

| eval boolean_field = if(boolean_field == "true", "true meaning", "false meaning")
0 Karma
Reply
Solved! Jump to solution

thenormalone
Path Finder
‎06-06-2021 09:00 AM

apologies but I should've mentioned that I tried that. After that if I do a stats command on it, the pie chart only shows one of the values

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎06-07-2021 09:49 AM
@thenormalone wrote:

apologies but I should've mentioned that I tried that. After that if I do a stats command on it, the pie chart only shows one of the values

This is how you can illustrate your data  and output in a sanitized fashion:

 

 

 

<your search>
| top 20 # limit output for illustration
| rename <your boolean field name> as boolean_field # rename to generic name

 

 

 

(because  the field has only two generic values, no sanitization needed.)  After this, you can use the generic field name to illustrate how the two pie charts differ. (Make sure to illustrate your generic test  code.

On my side, I generate a generic data set with the following simulator

 

 

 

| makeresults count=50 # this part simulates data
| eval boolean_field = if((random() % 5 == 0 OR random() % 3 ==0), "false", "true")

 

 

 

Sample data look like this

_timeboolean_field
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58false
... 

As expected, a simple piechart will show true and false

simplepie.png

But if I rename my values using

 

 

| eval boolean_field = if(boolean_field == "true", "foo", "bar")

 

 

the piechart shows two values, foo and bar, not a  single value. (Unless the input data happen to contain only one of true or  false.)

renamedpie.png

This  can be corroborated by examining the  "Statistics"  tab under the search box.

boolean_fieldcount
bar20
foo30
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...