- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Pie chart max value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunkers,
I'm working on a pie chart where I am trying to show the total number of assets and then show that same list of assets that has a particular software package installed. Both sets of info come from two .csv files specified by source=*.csv. I get the numbers correctly by doing the following:
mysearch | | stats dc(HostName) by source
The chart correctly shows:
Total_Mac_Assets = 608
Total_Mac_Assets w/_DG_Installed = 475
However the Total_Mac_Assets needs to be the full “Pie” in the pie chart and the 475 needs to be a slice of that total.
In the pie chart currently generated, it looks like 608 is half and 475 is half but 133 short of 608, if that makes sense. For example, if I were to have the software installed across all assets, the pie would be split evenly down the middle.
How do I set the 100% range of the pie chart to equal Total_Mac_Assets = 608 and then have Total_Mac_Assets_w/_DG_Installed = 475 be a slice of that total?
Thanks for any assistance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a sample implementation (run anywhere) with similar logic. Adjust this per your scenario.
If this is your current search
index=_internal log_level="ERROR" OR log_level="INFO" | stats count by log_level
Output:
log_level count
..................
ERROR 130
WARN 200
This should be updated search
index=_internal log_level="ERROR" OR log_level="INFO" | eval log_level=if(log_level="ERROR", "ERROR","No ERROR") | stats count by log_level
Output:
log_level count
..................
ERROR 130
NO ERROR 70
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you possibly looking for Sunburst charts? Basically two-dimensional pie charts: http://apps.splunk.com/app/1613/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a sample implementation (run anywhere) with similar logic. Adjust this per your scenario.
If this is your current search
index=_internal log_level="ERROR" OR log_level="INFO" | stats count by log_level
Output:
log_level count
..................
ERROR 130
WARN 200
This should be updated search
index=_internal log_level="ERROR" OR log_level="INFO" | eval log_level=if(log_level="ERROR", "ERROR","No ERROR") | stats count by log_level
Output:
log_level count
..................
ERROR 130
NO ERROR 70
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats exactly what I'm trying to do actually. How would I go about building that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my knowledge, the pie chart doesn't provide options to overlap slices. If Total_Mac_Assets acquire 100% of the pie chart then Total_Mac_Assets_w/_DG_Installed will be overlapping with it and that will not work. One workaround that you can try would be to calculate and plot Total_Mac_Assets_w/o_DG_Installed which will be Total_Mac_Assets-Total_Mac_Assets_w/_DG_Installed, so that Total_Mac_Assets_w/_DG_Installed and Total_Mac_Assets_w/o_DG_Installed will total 100% (608). You can set chart title as "Mac_Assets".
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
