Splunk Search

Why the renamed values doesn't show on the pie chart?

auaave
Communicator

Hi Guys,

I am creating a pie chart with the below query. I renamed and replaced the column and field values. The data it returns on the table are fine but on the visualization it shows the codes "0002", "000E" instead of the "new name".

How can I fix it to show the renamed value on the visualization? Thank you.

| chart count(INFO) as ITEM_QTY over INFO by BIT_FLAGS | rename "0002" as "CAUTION1", "000E" as "CAUTION1_CAUTION2_ITEMJAM", "000C" as "CAUTION2_ITEMJAM"
| replace 080D with REJECT_CLEARING, 080C with OVERFLOW
0 Karma
1 Solution

493669
Super Champion

If I understood correctly, if you have multiple values of BIT_FLAGSthen in pie chart it will only show first column ..try to check
different Visualizations like column chart...because pie chart used to show how different field values combine over an entire data set

View solution in original post

auaave
Communicator

@493669, Yes you are right, the BIT_FLAGS got multiple value. I am using trellis layout for pie chart. The chart actually displays the correct data my only problem is I cannot rename the field values. On the statistics table, it works but not on the chart. I got the same problem even if I change it to column chart or bar chart. Thank you.

0 Karma

493669
Super Champion

If I understood correctly, if you have multiple values of BIT_FLAGSthen in pie chart it will only show first column ..try to check
different Visualizations like column chart...because pie chart used to show how different field values combine over an entire data set

493669
Super Champion

Try this:

|eval BIT_FLAGS=case(BIT_FLAGS="0002", "CAUTION1",BIT_FLAGS="000E","CAUTION1_CAUTION2_ITEMJAM", BIT_FLAGS="000C","CAUTION2_ITEMJAM",1=1,BIT_FLAGS) | chart count(INFO) as ITEM_QTY over INFO by BIT_FLAGS 
 | replace 080D with REJECT_CLEARING, 080C with OVERFLOW
0 Karma

auaave
Communicator

@493669, this works! Thanks a lot for your help!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...