Dashboards & Visualizations

How to create a pie chart based on "keywords" found in a field?

shinabar22
New Member
index=timswindows sourcetype=ActiveDirectory
   [search index=timswindows sourcetype=WinEventLog EventCode=4624 Account_Name!="-"
   | dedup Account_Name
   | stats values(Account_Name) as sAMAccountName]
| dedup distinguishedName
|fields sAMAccountName, distinguishedName, host
|chart count by distinguishedName

The field in question is "distinguishedName".

There about 4 possible keywords that could be in this field.

How do I filter them out in the chart?

0 Karma

woodcock
Esteemed Legend

It should work the way that you have it. What exactly is the problem? Post sample events and a mockup of your desired outcome when you followup.

0 Karma

shinabar22
New Member

The output I get using the original syntax generates a chart with data from the field "distinguishedName."

The problem is, it shows 34 events. Some are duplicate users but different categories.

Example of a events currently in this field:

distinguishedName="CN=JoeSmith,OU=2019,OU=Dinner,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=JoeSmith,OU=2019,OU=snack,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=TheGrinch,OU=2019,OU=snack,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=TheGrinch,OU=2019,OU=breakfast,OU=Cafeteria,DC=nnv,DC=doi,DC=net"

In the distinguishedName field there about 4 possible keywords assigned to each user.
I want to search the field for a keyword, then show 4 keyword categories: breakfast, lunch, snack, dinner in my pie chart.

I want my pie chart to show how many times a "dinner" event occurred. This way I wont see Joes name 20 times on the chart. He will show up as one event for dinner and twice under snack.

The chart will only show 4 keyword categories:
breakfast - 1
lunch - 0
snack - 2
dinner - 1

0 Karma

abhi04
Communicator

You need to add the transforming command i.e.

| stats count by distinguishedName.

Check the Statistics table after running the search to make sure that a single series generated. The table should have two columns.
DIstinguishedName and its values.

After this click on the visualization tab and click on Pie chart.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...