Hi Cloud of wisdom 🙂
I am starting with splunk> , and I am stucked trying to create a simple report. Basically, I have a set of IIS log files, and I am trying to create a pie chart based on the number of events IPV6 vs IPV4
I do already have the search, but I am struggling trying to create the pie chart. I went through the documentation, but I am not able to see it clearly of to do it.
This is my search:
source="C:\wamp\logipv6\." | rex field=c_ip "(?
I have create two fields, ipv6 and ipv4. The search works like a charm, but I am not able to create that simple pie chart with the count of those fields on it.
would you mind to help me with this issue?
Thanks in advance!
It seems like what you want is a pie chart which shows two values: the count of ipv4 addresses, and the count of ipv6 address, correct? To do that, you'll need to end up with something analogous to a single field which reflects that. There are quite a few ways to do this, so I'll just throw this one out there:
what_you_have | stats count(ipv4) as ipv4 count(ipv6) as ipv6 | transpose
The various charts are expecting some standard columnar output from your search. If you remove the "transpose" you'll see that you end up with a single row with 2 columns (value, value). Adding the transpose gives you 2 columns (label, value), which is what a pie chart wants. You could also do something like this to create a new field to count against:
what_you_have | eval type=case(isnotnull(ipv4), "ipv4", isnotnull(ipv6), "ipv6") | stats count by type
Though, it's the weekend and I'm getting different numbers in testing between those, so verify the correctness.
Also, you should lose the rex stuff and do field extractions on your events ( http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample ).
It seems like what you want is a pie chart which shows two values: the count of ipv4 addresses, and the count of ipv6 address, correct? To do that, you'll need to end up with something analogous to a single field which reflects that. There are quite a few ways to do this, so I'll just throw this one out there:
what_you_have | stats count(ipv4) as ipv4 count(ipv6) as ipv6 | transpose
The various charts are expecting some standard columnar output from your search. If you remove the "transpose" you'll see that you end up with a single row with 2 columns (value, value). Adding the transpose gives you 2 columns (label, value), which is what a pie chart wants. You could also do something like this to create a new field to count against:
what_you_have | eval type=case(isnotnull(ipv4), "ipv4", isnotnull(ipv6), "ipv6") | stats count by type
Though, it's the weekend and I'm getting different numbers in testing between those, so verify the correctness.
Also, you should lose the rex stuff and do field extractions on your events ( http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample ).
Thank you so much, it worked out. I already have my shiny IPV6 pie chart 🙂