- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Pie Chart report with two field counts
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Cloud of wisdom 🙂
I am starting with splunk> , and I am stucked trying to create a simple report. Basically, I have a set of IIS log files, and I am trying to create a pie chart based on the number of events IPV6 vs IPV4
I do already have the search, but I am struggling trying to create the pie chart. I went through the documentation, but I am not able to see it clearly of to do it.
This is my search:
source="C:\wamp\logipv6\." | rex field=c_ip "(?
I have create two fields, ipv6 and ipv4. The search works like a charm, but I am not able to create that simple pie chart with the count of those fields on it.
would you mind to help me with this issue?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems like what you want is a pie chart which shows two values: the count of ipv4 addresses, and the count of ipv6 address, correct? To do that, you'll need to end up with something analogous to a single field which reflects that. There are quite a few ways to do this, so I'll just throw this one out there:
what_you_have | stats count(ipv4) as ipv4 count(ipv6) as ipv6 | transpose
The various charts are expecting some standard columnar output from your search. If you remove the "transpose" you'll see that you end up with a single row with 2 columns (value, value). Adding the transpose gives you 2 columns (label, value), which is what a pie chart wants. You could also do something like this to create a new field to count against:
what_you_have | eval type=case(isnotnull(ipv4), "ipv4", isnotnull(ipv6), "ipv6") | stats count by type
Though, it's the weekend and I'm getting different numbers in testing between those, so verify the correctness.
Also, you should lose the rex stuff and do field extractions on your events ( http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample ).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems like what you want is a pie chart which shows two values: the count of ipv4 addresses, and the count of ipv6 address, correct? To do that, you'll need to end up with something analogous to a single field which reflects that. There are quite a few ways to do this, so I'll just throw this one out there:
what_you_have | stats count(ipv4) as ipv4 count(ipv6) as ipv6 | transpose
The various charts are expecting some standard columnar output from your search. If you remove the "transpose" you'll see that you end up with a single row with 2 columns (value, value). Adding the transpose gives you 2 columns (label, value), which is what a pie chart wants. You could also do something like this to create a new field to count against:
what_you_have | eval type=case(isnotnull(ipv4), "ipv4", isnotnull(ipv6), "ipv6") | stats count by type
Though, it's the weekend and I'm getting different numbers in testing between those, so verify the correctness.
Also, you should lose the rex stuff and do field extractions on your events ( http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample ).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much, it worked out. I already have my shiny IPV6 pie chart 🙂
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
