Hello together,
I am new at Splunk and need help for the following issue.
I have the field KitchenStuff with 5 values and the number of the values, of this field. 4 of the values are vegetables and 1 value is a fruit. The vegetables are cucumber, tomato, onion and carrot. And the fruit is apple.
With the search sourcetype="notrelevant" | chart count by KitchenStuff I can present the single values with the number of the values in the pie chart. But I want to present the count/sum of all vegetables and fruit(s) in the pie chart.
I have already looked in the documentation and in other questions, but unfortunately I could not find a solution.
Could you please help me?
Thanks in advance!
HI
try something like this
index=your_index sourcetype="notrelevant"
| eval type=if(KitchenStuff="Apple","Fruit","Vegetables")
| chart count by type
if the number of KitchenStuff grows, you can put them in a lookup (e.g. types.csv with two fields:KitchenStuff, type) and run something like this
index=your_index sourcetype="notrelevant"
| lookup types.csv KitchenStuff OUTPUT type
| chart count by type
Bye.
Giuseppe
Give following a try:
sourcetype="notrelevant"
| chart count by KitchenStuff
| eventstats sum(count) as sum
| eval perc=count/sum
| table KitchenStuff perc
HI
try something like this
index=your_index sourcetype="notrelevant"
| eval type=if(KitchenStuff="Apple","Fruit","Vegetables")
| chart count by type
if the number of KitchenStuff grows, you can put them in a lookup (e.g. types.csv with two fields:KitchenStuff, type) and run something like this
index=your_index sourcetype="notrelevant"
| lookup types.csv KitchenStuff OUTPUT type
| chart count by type
Bye.
Giuseppe
Hello cusello,
thank you very much, it works!
With best regards,
TNRRVN93
if you're satisfied, accept my answer.
Bye.
Giuseppe