Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use two different fields to create a pie chart?

shariinPH
Contributor
‎10-16-2014 01:30 AM

Hi Splukers,

My problem here is that i have a search :

index=myindexname sourcetype=mysourcetype |stats latest(field1) as postedpayments latest(field2) as exceptions |eval result=round(expected-actual)

What i want to do is that i want to show in the pie chart the value of posted payments and the value of the exceptions

Please help us with our problem

Thanks 🙂

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-16-2014 02:29 AM

Hi shariinPH;

from the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Viz/Datastructurerequirementsforvisualizations#Pie...

Pie charts are one dimensional and only support a single series. They work off of tables with just two columns, where the first column contains the labels for each slice of the pie, and the second column contains numerical values that correspond to each label, determining the relative size of each slice. If the table generated by the search contains additional columns, those extra columns have no meaning in the terms of the pie chart and are ignored.

This means your search will not work this way. But there are some ways you can achieve the target; try this run everywhere command:

index=_internal OR index=_audit | stats count(buckets) AS buckets sum(kb) AS sum | transpose

or something like this

index=_internal OR index=_audit | eval type=case(isnotnull(kb), "kb", isnotnull(buckets), "buckets") | stats count by type

adapted to your provide search string, something like this should work:

index=myindexname sourcetype=mysourcetype | stats latest(field1) as postedpayments latest(field2) as exceptions | transpose

hope this helps to get you started ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-16-2014 02:29 AM

Hi shariinPH;

from the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Viz/Datastructurerequirementsforvisualizations#Pie...

Pie charts are one dimensional and only support a single series. They work off of tables with just two columns, where the first column contains the labels for each slice of the pie, and the second column contains numerical values that correspond to each label, determining the relative size of each slice. If the table generated by the search contains additional columns, those extra columns have no meaning in the terms of the pie chart and are ignored.

This means your search will not work this way. But there are some ways you can achieve the target; try this run everywhere command:

index=_internal OR index=_audit | stats count(buckets) AS buckets sum(kb) AS sum | transpose

or something like this

index=_internal OR index=_audit | eval type=case(isnotnull(kb), "kb", isnotnull(buckets), "buckets") | stats count by type

adapted to your provide search string, something like this should work:

index=myindexname sourcetype=mysourcetype | stats latest(field1) as postedpayments latest(field2) as exceptions | transpose

hope this helps to get you started ...

cheers, MuS

Reply
Solved! Jump to solution

shariinPH
Contributor
‎10-16-2014 02:56 AM

Thanks @Mus. It works! 😄

Reply
Solved! Jump to solution

demodav
Path Finder
‎12-03-2015 11:37 AM

| transpose is what I needed

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...