Splunk Search

How can I invert my pie chart?

pranaynanda
Path Finder

I'm trying to create a pie chart in trellis view such that it shows me the number of jobs that ended in terminal or complete state. Right now the chart shows data by state and then divides the pie into months. I want the opposite. I want the headers to display months and the respective pie charts to be divided by state.

alt text

index="secretindex" host=$location$ sourcetype=Logs FinalState=TERMINAL OR FinalState=COMPLETE| timechart count(eval(FinalState="TERMINAL")) as TERMINAL, count(eval(FinalState="COMPLETE")) as COMPLETE span=1month

Please help!!

0 Karma
1 Solution

niketn
Legend

[Updated Answer]
With further details for trellis:
Please use the following option to split by Time field which should show Month as Trellis Pie Chart Header

    <option name="trellis.splitBy">Time</option>

PS: I have corrected span to 1mon as per suggestion and strftime() from %m to %b to show month abbreviation instead of month as number.


@pranaynanda, Try the following:

index="secretindex" host=$location$ sourcetype=Logs FinalState=TERMINAL OR FinalState=COMPLETE|
| bin _time span=1mon
| eval Time=strftime(_time,"%b-%Y")
| chart count over FinalState by Time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @pranaynanda, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma

niketn
Legend

[Updated Answer]
With further details for trellis:
Please use the following option to split by Time field which should show Month as Trellis Pie Chart Header

    <option name="trellis.splitBy">Time</option>

PS: I have corrected span to 1mon as per suggestion and strftime() from %m to %b to show month abbreviation instead of month as number.


@pranaynanda, Try the following:

index="secretindex" host=$location$ sourcetype=Logs FinalState=TERMINAL OR FinalState=COMPLETE|
| bin _time span=1mon
| eval Time=strftime(_time,"%b-%Y")
| chart count over FinalState by Time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

pranaynanda
Path Finder

You Rock! Thanks!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Save yourself some grief and train your users to look at it this way...

 | eval Time=strftime(_time,"%Y-%m")

pranaynanda
Path Finder

It's not the format of time that I wish to change. I want the charts to look in such a way that the header says the Month and then below each month it splits the respective pie by FinalState.

Is such a thing even possible?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@pranaynanda - Since @niketnilay had you handled, I just made more of a plain comment than a solution. You will save yourself a LOT of grief if you just get in the habit of using that "%Y-%m" date format.

pranaynanda
Path Finder

I appreciate your concern. I can't simply understand how will that help me? Is something bad about the format I posted in?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@pranaynanda - When you put year, month, day and 24-hour format time then the human-readable values can be sorted or directly compared against each other, without changing back to epoch format. That saves massive amounts of programming.

Also, "08/11/1975" is ambiguous across cultures and locations, whereas "1975-08-11" or "1975-11-08", whichever one of those was meant, cannot be mistaken for each other. So you eliminate work and confusion at the same time.

pranaynanda
Path Finder

Interesting. I understand now. I used the "%B %Y" format and then used the trellis view. Maybe there's more processing involved but there's no confusion here I guess. Thank you for the great advice btw. I can use it in other charts that I have. I never thought that reading date could be such ambiguous across cultures and boundaries. Thank you for pointing that out.

DalJeanis
SplunkTrust
SplunkTrust

@pranaynanda - Yes, it's a major cause for confusion in multinationals. Obviously, the full written-out month name is not an issue that way, but it cannot be sorted.

0 Karma

pranaynanda
Path Finder

Apologies for picking up this old topic and not listening to you previously but I get your concern now. Can you help me sort it while letting me visually keep the "%B %Y" format? "%Y-%m" works but I think %B %Y is visually more appealing.

0 Karma

niketn
Legend

@pranaynanda, Trellis Aggregate By field expects query with a by clause to be final transforming command. So, while it is possible to keep "%b %Y" format sorted using SPL. It can not be done directly via stats by clause. Which implies Trellis will loose its Aggregate By option.

So would the following suffice the need? It will retain both digit month for sorting and abbreviated Month name for clarity.

 <YourBaseSearch>
| bin _time span=1mon
| eval Time=strftime(_time,"%Y-%m (%b)")
| chart count over FinalState by Time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@pranaynanda, sorry for not responding to this earlier. I have updated my answer, you should be able to do what you need through trellis option as mentioned in the updated answer: <option name="trellis.splitBy">Time</option>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jluo_splunk
Splunk Employee
Splunk Employee

You'll have to modify the span such that it reads 1mon and not 1m since m is reserved for minute.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...