Splunk Search

rename boolean value in a pie chart

thenormalone
Path Finder

I have a boolean field which I get from the search, now when I do a stats count by boolean_field, the pie chart will show boolean_field=true and boolean_field=false.

How do I rename these values to something custom/more meaningful?

Labels (2)
0 Karma
1 Solution

yuanliu
Builder

@thenormalone wrote:

apologies but I should've mentioned that I tried that. After that if I do a stats command on it, the pie chart only shows one of the values


This is how you can illustrate your data  and output in a sanitized fashion:

 

 

 

<your search>
| top 20 # limit output for illustration
| rename <your boolean field name> as boolean_field # rename to generic name

 

 

 

(because  the field has only two generic values, no sanitization needed.)  After this, you can use the generic field name to illustrate how the two pie charts differ. (Make sure to illustrate your generic test  code.

On my side, I generate a generic data set with the following simulator

 

 

 

| makeresults count=50 # this part simulates data
| eval boolean_field = if((random() % 5 == 0 OR random() % 3 ==0), "false", "true")

 

 

 

Sample data look like this

_timeboolean_field
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58false
... 

As expected, a simple piechart will show true and false

simplepie.png

But if I rename my values using

 

 

| eval boolean_field = if(boolean_field == "true", "foo", "bar")

 

 

the piechart shows two values, foo and bar, not a  single value. (Unless the input data happen to contain only one of true or  false.)

renamedpie.png

This  can be corroborated by examining the  "Statistics"  tab under the search box.

boolean_fieldcount
bar20
foo30

View solution in original post

yuanliu
Builder

Something like

| eval boolean_field = if(boolean_field == "true", "true meaning", "false meaning")
0 Karma

thenormalone
Path Finder

apologies but I should've mentioned that I tried that. After that if I do a stats command on it, the pie chart only shows one of the values

0 Karma

yuanliu
Builder

@thenormalone wrote:

apologies but I should've mentioned that I tried that. After that if I do a stats command on it, the pie chart only shows one of the values


This is how you can illustrate your data  and output in a sanitized fashion:

 

 

 

<your search>
| top 20 # limit output for illustration
| rename <your boolean field name> as boolean_field # rename to generic name

 

 

 

(because  the field has only two generic values, no sanitization needed.)  After this, you can use the generic field name to illustrate how the two pie charts differ. (Make sure to illustrate your generic test  code.

On my side, I generate a generic data set with the following simulator

 

 

 

| makeresults count=50 # this part simulates data
| eval boolean_field = if((random() % 5 == 0 OR random() % 3 ==0), "false", "true")

 

 

 

Sample data look like this

_timeboolean_field
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58false
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58true
2021-06-07 09:34:58false
2021-06-07 09:34:58false
... 

As expected, a simple piechart will show true and false

simplepie.png

But if I rename my values using

 

 

| eval boolean_field = if(boolean_field == "true", "foo", "bar")

 

 

the piechart shows two values, foo and bar, not a  single value. (Unless the input data happen to contain only one of true or  false.)

renamedpie.png

This  can be corroborated by examining the  "Statistics"  tab under the search box.

boolean_fieldcount
bar20
foo30

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!