Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get the right pie chart based on a group count?

malderhout
New Member
‎05-01-2016 11:34 AM

If have the following search in Splunk:

sourcetype = Tweets | stats count(eval(match(text, "string1"))) AS "string1" count(eval(match(text, "string2"))) AS "string2"

In the statistics tab, I get indeed 2 columns: string1 and string2 with the number of the matches of each.

Now I want to show it in a pie chart, but I get a full color (100%) of only string1.

How do I get a good pie chart, that divides the number of string 1 over (the total number of string1 and string2)?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎05-01-2016 06:13 PM

You could try creating a new field that is precisely what you want, then chart that.

sourcetype = Tweets | stats count(eval(match(text, "string1"))) AS "string1" count(eval(match(text, "string2"))) AS "string2"
| eval Result=string1/(string1+string2)

Then use Result as the field to chart.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎05-01-2016 06:13 PM

You could try creating a new field that is precisely what you want, then chart that.

sourcetype = Tweets | stats count(eval(match(text, "string1"))) AS "string1" count(eval(match(text, "string2"))) AS "string2"
| eval Result=string1/(string1+string2)

Then use Result as the field to chart.

0 Karma
Reply
Solved! Jump to solution

malderhout
New Member
‎05-02-2016 12:47 AM

Hi and thx for the answer.

The new field is added in statistics, but if press the visualisation tab it still shows a 100% fill of string1

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎05-02-2016 06:24 AM

Yes, I should have noticed that before. A Pie chart requires a specific type of input data. You can scroll down the Pie chart section of the Visualization Requirements documentation to see this. Or take my word for it, your choice. Your current data as you are doing it gets you values in multiple fields, like 

Field1  Field2   Result
54        99          .4593

(I made up the numbers, they're not mathematically correct)

What you need it to look like is something more like 

Field1    99
Field2    43

And, you don't really need the "Results" as we made them - or if you do, not necessarily for the same reason of making a pie chart with mouse-over statistics.

So how do we convert it to the right "looking" data?

sourcetype = Tweets | eval TweetMatches=case(match(_raw,"string1"), "string1", match(_raw, "string2"), "string2",1==1, "Other") | chart count by TweetMatches

I might have typoed something in there in my conversion from my own internal working sample to an example with your names, but otherwise that should create something close to what you want. Notice I included an "Other" field, you can drop off the entire end of that 1==1, "Other" if you don't want that, but I thought I would include that.

Then just check your Pie chart visualization and see what you think!

Reply
Solved! Jump to solution

malderhout
New Member
‎05-02-2016 07:16 AM

Many Thanks I have the piechart working now!. Indeed I miss some knowledge regarding the visualisation possibilities with Splunk 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...