I'm trying to analyze the makeup of different event types coming from a series of different hosts. To do that, I would like to create a search that will create one pie chart per host. Each pie chart will show the percentages of Sourcetypes coming from that host. This would seem to be a very simple operation conceptually, but as is typical of Splunk, the execution is quite difficult. It's a no-brainer to produce the raw stats with this search:
index=myindex | stats count by host,sourcetype
I can even produce a pie chart where it mashes all of the results into a single pie chart, showing each host's event count in terms of the whole. That's by replacing the "Stats" command with "Chart." But splitting those charts out per host is what's escaping me.
Thanks for the help.
Hi JdeFalconr,
I suggest saving each host specific search into a dashboard panel, i.e. run each search and save the search as a panel into an existing pie chart dashboard.
index=myindex | stats count by host,sourcetype| where host="your_hostname" |table sourcetype count
Not sure what version of Splunk you have but in 6.x there is a post search dashboard functionality that allows you to run the base search in your dashboard and then post searches (i.e. the where host=... |table ...
) for each dashboard panel.
http://docs.splunk.com/Documentation/Splunk/6.3.0/Viz/Savedsearches#Basic_post-process_example
Hope this make sense and helps.
As @gcato said: every visualization (i.e. pie chart) requires separate search.
If you would like to see all hosts but not discriminate by sourcetype, this will produce that pie chart:
index=myIndex | chart count over host by sourcetype
If you would like something that presents the data for all hosts nicely from a single search, then this tabular data should do the trick for you:
index=myIndex | chart count over host by sourcetype | addtotals row=t col=t | fillnull value=TOTAL
Thank you!
Hi JdeFalconr,
I suggest saving each host specific search into a dashboard panel, i.e. run each search and save the search as a panel into an existing pie chart dashboard.
index=myindex | stats count by host,sourcetype| where host="your_hostname" |table sourcetype count
Not sure what version of Splunk you have but in 6.x there is a post search dashboard functionality that allows you to run the base search in your dashboard and then post searches (i.e. the where host=... |table ...
) for each dashboard panel.
http://docs.splunk.com/Documentation/Splunk/6.3.0/Viz/Savedsearches#Basic_post-process_example
Hope this make sense and helps.
Thanks for the idea, I appreciate it. However a dashboard is far more effort than I wanted to put into creating this search. Isn't there an easy way to simply split the results by host and visualize?
I'd use the following
index=myindex | chart count over host by sourcetype
and then visualise with a bar graph with stacked to 100%. This will give a nice comparison by host.
Hi JdeFalconer, Did the bar graph give you a suitable solution?
I think so, yes, that's closest to what I was originally after. I'd mark it as an answer but it looks like it's placed as a comment instead.
In any case, thank you!
I converted this to an answer; click "Accept".