Splunk Search

Pie chart using 2 inputlookup files

marceloalejandr
Path Finder

Aloha, 

We’ve a reporting requirement to create a Pie chart using 2 input files.  So far we’ve successfully created Bar charts with inputlookup files.   

Could you please advise the best way to create a Pie chart using 2 inputlookup files?  

Thanks in advance.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

A pie chart requires a single data series, whereas the current query has two.  The pie chart will display the first series (field) as 100%.

Here's an alternative query that should work:

| inputlookup ServiceAccountsInOU.csv | eval state="Service Accounts in OU"
| append [| inputlookup ServiceAccountsNotInOU.csv | eval state="Service Accounts NOT in OU"]
| stats count by state
---
If this reply helps you, Karma would be appreciated.

View solution in original post

marceloalejandr
Path Finder

Both inputlookup files have one and the same field name (sAMAccountName) containing user accounts.  What's the inputlookup SPL to reference both files?  Thanks again. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The number of inputs is irrelevant.  A pie chart just needs a single data series produced using something like this:

| stats count by foo
---
If this reply helps you, Karma would be appreciated.
0 Karma

marceloalejandr
Path Finder

Rich, 

Thanks for your message.  Currently we're able to show separate Bar charts for 2 inputlookup files.   Here's a sample of the SPL:
| inputlookup blank.csv
| appendcols [| inputlookup ServiceAccountsInOU.csv | stats count AS "Service Accounts in OU" ]
| appendcols [| inputlookup ServiceAccountsNotInOU.csv | stats count AS "Service Accounts NOT in OU"]


How would we implement your suggestion?   Thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

A pie chart requires a single data series, whereas the current query has two.  The pie chart will display the first series (field) as 100%.

Here's an alternative query that should work:

| inputlookup ServiceAccountsInOU.csv | eval state="Service Accounts in OU"
| append [| inputlookup ServiceAccountsNotInOU.csv | eval state="Service Accounts NOT in OU"]
| stats count by state
---
If this reply helps you, Karma would be appreciated.

marceloalejandr
Path Finder

That's awesome!  Thanks!!!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There is a trellis option on pie charts so you can have multiple data series with each pie chart showing one of the series.

| stats count by foo bar
| xyseries foo bar count
0 Karma

marceloalejandr
Path Finder

Both inputlookup files have one and the same field name (sAMAccountName) containing user accounts.  What's the inputlookup SPL to reference both files?   Thanks again. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What are you trying to show with your pie charts because the inputlookup and stats command in each of the appendcols will only return one event each so a pie chart of each series will have 100%

0 Karma

marceloalejandr
Path Finder

Each file contains a number of users and each file will have a count.  The Pie chart should include the total count of both files and then the percentages of each file's count against the total.    How do we combine the files to get the total and then show the percentage of each file's count against the total?

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...