This actually works perfectly. Just a quick follow up question: how would I rename those fields that returned? For example, rather than seeing a pie chart with "1017" displayed, it would instead say "Failed Login Attempts". I'd like to do this for some, but not all of the fields. Thanks so much for your help, by the way!
... View more
I don't know why this is so hard, but I'm having issues creating a simple pie chart. I'm relatively new to Splunk and I am still learning the ropes. Here's what I'm trying to do:
I want to create a simple pie chart that shows the percentage of return codes in a given time frame. So, for example, if there are 3 return codes (0, 1012, 1017), and there is a combined total of 1000 instances in the past week. 800 for return_code 0, 150 for return_code 1012, and 50 for return_code 1017. I want the pie chart to display all 3 return codes, with 80% of the pie being return_code 0, 15% being return_code 1012, and 5% being the remaining return_code 1017.
I've flipped through the documentation so far and see a couple different things you can do with the "chart" command, but can't seem to get it to work towards my issue. So far, I have the following
index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" | chart
//no idea what should follow
What search string do I need to get this to work? It should be noted that I'm not looking for just these three particular return_codes, but rather ANY and ALL return_codes for the duration of time (whether it is 3 return_codes or 9 return_codes). I would greatly appreciate any help. Thanks!
... View more
Maybe I've been overthinking this, but for the life of me I cannot get my Time Input to my form working! I'm using this documentation: http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/FormEditor#Add_a_time_input_to_a_for and this is my search string from my report:
index=main sourcetype=audit_main source=AUDIT_LOGS OS_USERNAME=%username%
I didn't see anything in the documentation that says I need to edit this search string. Even more importantly, however, I do not see a "Search Icon" when I go to edit a panel, let alone an option to "Edit Search String" or use a Shared Time Picker.
That said, I was able to get this partially working by playing around with the timerange a bit. My query works for items like last 15 minutes, last 24 hours, last 7 days, etc.....everything BUT for "All time". If I select "All time", get an error saying that they couldn't parse the search because of a comparator operator (Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.).
My source code is as follows:
<label>Cutomized Audit Log</label>
<description>Audit Log from Unified Audit Trail (custom table).</description>
<fieldset autoRun="false" submitButton="true">
<input type="text" token="username">
<input type="time" token="timerange" searchWhenChanged="true">
<title>Customized Audit Log</title>
<query>index=main sourcetype=audit_main source=AUDIT_LOGS OS_USERNAME=$username$ earliest=$timerange.earliest$ latest=$timerange.latest$</query>
What is going on? What am I doing wrong? Would greatly appreciate any help!
... View more