Refine your search:

So a manager comes into my office and asks for a pie chart.

I tell him, yes it's possible, in fact I can do it today. Big F.

I quickly whip up this vastly inefficient search string and all I want is one pie chart with two slices: gross data and gross voice:

sourcetype="wan_traffic" earliest=@d SITE=RDGDC-WAN1 OR SITE=RDGDC-WAN2 | fields SITE,WS_OUT_OCTETS,WS_VOICE_OUT_OCTETS,VZ_OUT_OCTETS,VZ_VOICE_OUT_OCTETS | accum WS_OUT_OCTETS as WS_GROSS | accum VZ_OUT_OCTETS as VZ_GROSS | eval GROSS=WS_GROSS + VZ_GROSS | accum WS_VOICE_OUT_OCTETS as WS_VOICE | accum VZ_VOICE_OUT_OCTETS as VZ_VOICE | eval VOICE=WS_VOICE + VZ_VOICE | eval DATA=GROSS - VOICE | chart last(GROSS),last(DATA), last(VOICE)

However, after reading all the docs and answers on this board - my wish remains unfilled.

Curiosity killed the cat. I couldn't resist clicking Show Report. What it generates is indeed a pie chart - however it is generating a 100% full blue pie chart of one value. Mousing over it reveals what it is doing with the 2nd value. I'll stop here.

My guess is I need series theory. I'm missing something basic.

I think I need either quantum physics with quarks theory taught to me, or search string series theory taught to me. I'm thinking splunk's the easier of the two.

I need some enlightenment! Anyone care to step up to this probably easy plate?

=============================== UPDATE:

I solved it. Turns out Splunk's Pie Chart engine requires a 2x2 table at a minimum. I didn't realize that and had just output a single summary results table with 1 line.

I had to use eval to generate the labels in column one, and append to generate the values for column two.

This works to generate the 2x2 table using eval to generate the labels in column 1 and append to generate the values in column two.

sourcetype="wan_traffic" earliest=@d SITE=RDGDC-WAN1 | fields SITE,WS_OUT_OCTETS,WS_VOICE_OUT_OCTETS,VZ_OUT_OCTETS,VZ_VOICE_OUT_OCTETS | accum WS_OUT_OCTETS as WS_GROSS | accum VZ_OUT_OCTETS as VZ_GROSS | eval GROSS=WS_GROSS + VZ_GROSS | accum WS_VOICE_OUT_OCTETS as WS_VOICE | accum VZ_VOICE_OUT_OCTETS as VZ_VOICE | eval V=WS_VOICE + VZ_VOICE | eval D=GROSS - V | eval TYPE="Data" | chart last(D) as BYTES by TYPE | append [search sourcetype="wan_traffic" earliest=@d SITE=RDGDC-WAN1 | fields SITE,WS_OUT_OCTETS,WS_VOICE_OUT_OCTETS,VZ_OUT_OCTETS,VZ_VOICE_OUT_OCTETS | accum WS_OUT_OCTETS as WS_GROSS | accum VZ_OUT_OCTETS as VZ_GROSS | eval GROSS=WS_GROSS + VZ_GROSS | accum WS_VOICE_OUT_OCTETS as WS_VOICE | accum VZ_VOICE_OUT_OCTETS as VZ_VOICE | eval V=WS_VOICE + VZ_VOICE | eval D=GROSS - V | eval TYPE="Voice" | chart last(V) as BYTES by TYPE]

This generates the 2x2 table properly: TYPE BYTES Data 206051242413 Voice 1440297883

Which Splunk will happily generate into a pie chart. However, the search string is very huge. Any idea how to optimize?

asked 17 Nov '10, 14:05

jfolkers's gravatar image

jfolkers
1314
accept rate: 0%

edited 21 Apr '11, 12:53

jlaw's gravatar image

jlaw ♦
1.1k48


2 Answers:

I think you want to back away slowly from accum and instead embrace the much more powerful and simple stats command. You are indeed using a complicated and obscure method where a simple and common method would work better. Granted it doesnt look any simpler at first blush but when you get used to what you can do with the stats command it'll seem simpler.

I'd start here for now:

sourcetype="wan_traffic" earliest=@d SITE=RDGDC-WAN1 OR SITE=RDGDC-WAN2 | stats sum(WS_OUT_OCTETS) as WS_GROSS sum(VZ_OUT_OCTETS) as VZ_GROSS sum(WS_VOICE_OUT_OCTETS) as WS_VOICE sum(VZ_VOICE_OUT_OCTETS) as VZ_VOICE | eval GROSS=WS_GROSS + VZ_GROSS | eval VOICE=WS_VOICE + VZ_VOICE | eval DATA=GROSS - VOICE

http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

link

answered 17 Nov '10, 19:26

sideview's gravatar image

sideview ♦
35.8k7857
accept rate: 48%

Nick, you'd be so proud of me. I used your stats & sum technique in a new column chart I made.

sourcetype="wan_traffic" earliest=@d SITE=RDGDC-WAN1 | fields SITE,WS_OUT_OCTETS,WS_VOICE_OUT_OCTETS,VZ_OUT_OCTETS,VZ_VOICE_OUT_OCTETS | eval V=WS_VOICE_OUT_OCTETS+VZ_VOICE_OUT_OCTETS | eval G=WS_OUT_OCTETS+VZ_OUT_OCTETS | eval D=G-V | bucket _time span=1h | stats sum(V) as Voice, sum(D) as Data by _time

So, even though your answer helped only with field formation optimization, I'm going to give you credit for the answer.

link

answered 17 Nov '10, 23:59

jfolkers's gravatar image

jfolkers
1314
accept rate: 0%

hehe. Sweet. I'm glad to hear. Yea once you really discover what stats can do it's like discovering the search language all over again.

(22 Apr '11, 11:08) sideview ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×2,651
×312
×273
×9

Asked: 17 Nov '10, 14:05

Seen: 2,099 times

Last updated: 22 Apr '11, 11:08

Related questions

Copyright © 2005-2014 Splunk Inc. All rights reserved.