I don't know why this is so hard, but I'm having issues creating a simple pie chart. I'm relatively new to Splunk and I am still learning the ropes. Here's what I'm trying to do:
I want to create a simple pie chart that shows the percentage of return codes in a given time frame. So, for example, if there are 3 return codes (0, 1012, 1017), and there is a combined total of 1000 instances in the past week. 800 for return_code 0, 150 for return_code 1012, and 50 for return_code 1017. I want the pie chart to display all 3 return codes, with 80% of the pie being return_code 0, 15% being return_code 1012, and 5% being the remaining return_code 1017.
I've flipped through the documentation so far and see a couple different things you can do with the "chart" command, but can't seem to get it to work towards my issue. So far, I have the following
index=main sourcetype=audit_main source=AUDIT_LOGS RETURN_CODE="*" | chart
//no idea what should follow
What search string do I need to get this to work? It should be noted that I'm not looking for just these three particular return_codes, but rather ANY and ALL return_codes for the duration of time (whether it is 3 return_codes or 9 return_codes). I would greatly appreciate any help. Thanks!
... View more