Getting Data In

How to write a search to produce one pie chart per host showing percentages of sourcetypes?

JdeFalconr
Explorer

I'm trying to analyze the makeup of different event types coming from a series of different hosts. To do that, I would like to create a search that will create one pie chart per host. Each pie chart will show the percentages of Sourcetypes coming from that host. This would seem to be a very simple operation conceptually, but as is typical of Splunk, the execution is quite difficult. It's a no-brainer to produce the raw stats with this search:

index=myindex | stats count by host,sourcetype

I can even produce a pie chart where it mashes all of the results into a single pie chart, showing each host's event count in terms of the whole. That's by replacing the "Stats" command with "Chart." But splitting those charts out per host is what's escaping me.

Thanks for the help.

0 Karma
1 Solution

gcato
Contributor

Hi JdeFalconr,

I suggest saving each host specific search into a dashboard panel, i.e. run each search and save the search as a panel into an existing pie chart dashboard.

index=myindex | stats count by host,sourcetype| where host="your_hostname" |table sourcetype count

Not sure what version of Splunk you have but in 6.x there is a post search dashboard functionality that allows you to run the base search in your dashboard and then post searches (i.e. the where host=... |table ... ) for each dashboard panel.

http://docs.splunk.com/Documentation/Splunk/6.3.0/Viz/Savedsearches#Basic_post-process_example

Hope this make sense and helps.

View solution in original post

woodcock
Esteemed Legend

As @gcato said: every visualization (i.e. pie chart) requires separate search.

If you would like to see all hosts but not discriminate by sourcetype, this will produce that pie chart:

index=myIndex | chart count over host by sourcetype

If you would like something that presents the data for all hosts nicely from a single search, then this tabular data should do the trick for you:

index=myIndex | chart count over host by sourcetype | addtotals row=t col=t | fillnull value=TOTAL
0 Karma

JdeFalconr
Explorer

Thank you!

0 Karma

gcato
Contributor

Hi JdeFalconr,

I suggest saving each host specific search into a dashboard panel, i.e. run each search and save the search as a panel into an existing pie chart dashboard.

index=myindex | stats count by host,sourcetype| where host="your_hostname" |table sourcetype count

Not sure what version of Splunk you have but in 6.x there is a post search dashboard functionality that allows you to run the base search in your dashboard and then post searches (i.e. the where host=... |table ... ) for each dashboard panel.

http://docs.splunk.com/Documentation/Splunk/6.3.0/Viz/Savedsearches#Basic_post-process_example

Hope this make sense and helps.

JdeFalconr
Explorer

Thanks for the idea, I appreciate it. However a dashboard is far more effort than I wanted to put into creating this search. Isn't there an easy way to simply split the results by host and visualize?

0 Karma

gcato
Contributor

I'd use the following

index=myindex | chart count over host by sourcetype

and then visualise with a bar graph with stacked to 100%. This will give a nice comparison by host.

0 Karma

gcato
Contributor

Hi JdeFalconer, Did the bar graph give you a suitable solution?

0 Karma

JdeFalconr
Explorer

I think so, yes, that's closest to what I was originally after. I'd mark it as an answer but it looks like it's placed as a comment instead.

In any case, thank you!

0 Karma

woodcock
Esteemed Legend

I converted this to an answer; click "Accept".

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...