Re: Could you help me link a pie chart with an inp...

jip31 · ‎11-05-2018

hello

I use the code below for doing a pie chart

index=windows sourcetype="wineventlog:system" SourceName="Disk" EventCode=7 Type="Critique" 
| dedup _time 
| stats count by EventCode
| eventstats sum(count) as Total 
| eval percent=round((count/Total)*100,1) 
| eval EventCode=EventCode."(count: ".count.", percent: ".percent.")"

I need to update automatically this pie chart from an input token which represents the hostname.

I have something like this, but it doesn't work.

| stats count by EventCode, host

have you an idea please???

jip31 · ‎11-05-2018

Nobody can't help me please??

renjith_nair · ‎11-06-2018

@jip31,

if you just want to filter based on the host name from the token, then try adding this to your base search.

     index=windows sourcetype="wineventlog:system" SourceName="Disk" EventCode=7 Type="Critique"  host=$hostname$

---
What goes around comes around. If it helps, hit it with Karma 🙂

jip31 · ‎11-12-2018

pearhaps I have bad explained
my token works with * or with an exact host
but i would like to have no pie chart if a wrong host is entered in the token
even with a wrong host actually my pie chart is always displayed....

jip31 · ‎11-09-2018

hi it's what i m doing but when i m doing this in my report I cant have any results....

renjith_nair · ‎11-09-2018

Try one of the hostnames which is a candidate for $hostname$ and search in search window and see if it returns

---
What goes around comes around. If it helps, hit it with Karma 🙂

Could you help me link a pie chart with an input token?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases