I have final numbers like this :
RED YELLOW GREEN
1 3 9
It is result of a chart command. But when i plot this on a pie chart it only plots a single number(RED) on the entire pie, whereas it should be divided into 3 parts with numbers like 1 3 9
@macadminrohit you can use transpose to get the data in format required by the pie chart. Try to add the following two lines to your current search:
<yourCurrentSearch>
| transpose header_field=Color column_name=Color
| rename "row 1" as count
Following is a run anywhere search based on sample data provided (commands till | table
generate the mock data):
| makeresults
| eval data="1,3,9"
| makemv data delim=","
| eval RED=mvindex(data,0),YELLOW=mvindex(data,1), GREEN=mvindex(data,2)
| table RED YELLOW GREEN
| transpose header_field=Color column_name=Color
| rename "row 1" as count
Try this:
| makeresults
| eval RED=1, YELLOW=3, GREEN=9
| table RED YELLOW GREEN
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval _time=now()
| untable _time color count
| fields - _time
In lot of my existing searches , I see _time being evaluated to now() . Not sure what good it does?
Your answer is also one of the solutions.
@macadminrohit you can use transpose to get the data in format required by the pie chart. Try to add the following two lines to your current search:
<yourCurrentSearch>
| transpose header_field=Color column_name=Color
| rename "row 1" as count
Following is a run anywhere search based on sample data provided (commands till | table
generate the mock data):
| makeresults
| eval data="1,3,9"
| makemv data delim=","
| eval RED=mvindex(data,0),YELLOW=mvindex(data,1), GREEN=mvindex(data,2)
| table RED YELLOW GREEN
| transpose header_field=Color column_name=Color
| rename "row 1" as count