Splunk Search

Pie Chart report with two field counts

mihe
Engager

Hi Cloud of wisdom 🙂

I am starting with splunk> , and I am stucked trying to create a simple report. Basically, I have a set of IIS log files, and I am trying to create a pie chart based on the number of events IPV6 vs IPV4

I do already have the search, but I am struggling trying to create the pie chart. I went through the documentation, but I am not able to see it clearly of to do it.

This is my search:

source="C:\wamp\logipv6\." | rex field=c_ip "(?[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})" | rex field=c_ip "(?(([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5]).){3}([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5]))"

I have create two fields, ipv6 and ipv4. The search works like a charm, but I am not able to create that simple pie chart with the count of those fields on it.

would you mind to help me with this issue?

Thanks in advance!

Tags (1)
0 Karma
1 Solution

mw
Splunk Employee
Splunk Employee

It seems like what you want is a pie chart which shows two values: the count of ipv4 addresses, and the count of ipv6 address, correct? To do that, you'll need to end up with something analogous to a single field which reflects that. There are quite a few ways to do this, so I'll just throw this one out there:

what_you_have | stats count(ipv4) as ipv4 count(ipv6) as ipv6 | transpose

The various charts are expecting some standard columnar output from your search. If you remove the "transpose" you'll see that you end up with a single row with 2 columns (value, value). Adding the transpose gives you 2 columns (label, value), which is what a pie chart wants. You could also do something like this to create a new field to count against:

what_you_have | eval type=case(isnotnull(ipv4), "ipv4", isnotnull(ipv6), "ipv6") | stats count by type

Though, it's the weekend and I'm getting different numbers in testing between those, so verify the correctness.

Also, you should lose the rex stuff and do field extractions on your events ( http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample ).

View solution in original post

mw
Splunk Employee
Splunk Employee

It seems like what you want is a pie chart which shows two values: the count of ipv4 addresses, and the count of ipv6 address, correct? To do that, you'll need to end up with something analogous to a single field which reflects that. There are quite a few ways to do this, so I'll just throw this one out there:

what_you_have | stats count(ipv4) as ipv4 count(ipv6) as ipv6 | transpose

The various charts are expecting some standard columnar output from your search. If you remove the "transpose" you'll see that you end up with a single row with 2 columns (value, value). Adding the transpose gives you 2 columns (label, value), which is what a pie chart wants. You could also do something like this to create a new field to count against:

what_you_have | eval type=case(isnotnull(ipv4), "ipv4", isnotnull(ipv6), "ipv6") | stats count by type

Though, it's the weekend and I'm getting different numbers in testing between those, so verify the correctness.

Also, you should lose the rex stuff and do field extractions on your events ( http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample ).

mihe
Engager

Thank you so much, it worked out. I already have my shiny IPV6 pie chart 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...