- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- pie chart to show values of two dates to compare
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
My requirement is i have given user to choose 2 dates and depending on the dates chosen i need to show pie chart so that the user can see the difference of count from Date1 to Date2.
Here is the query am using now. and i am showing that in two different panels. But it would be better if i can compare using same panel same graph.
Note: Dates are not a range.
Example: Date1 = 20/09/2019 and Date2 = 17/10/2019
index="compliance_sum" | table name result ruleName |appendpipe[lookup netshot.csv Nom as name OUTPUT "Infrastrucure Name" teamInCharge] |table name result ruleName "$infraname$" teamInCharge |search "Infrastrucure Name"="FRA-SWING" |search teamInCharge="$team$"| search result="NONCONFORMING" | eval templateType=macro_template | where result="NONCONFORMING" | stats count by teamInCharge templateType | eval teamInCharge=teamInCharge." : ".count
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try pulling the date out of the _time field and stripping out everything that isn't those two dates.
You will need to set your earliest/lasted to be outside of your 2 date ranges for it to work.
Then If you add the date to your stats you can use a Trellis split by date to get your two charts
index="compliance_sum"
| eval date = strftime(_time,"%d/%m/%Y")
| search date=Date1 OR date=Date2
| table name result ruleName
| appendpipe
[ lookup netshot.csv Nom as name OUTPUT "Infrastrucure Name" teamInCharge]
| table name result ruleName "$infraname$" teamInCharge
| search "Infrastrucure Name"="FRA-SWING"
| search teamInCharge="$team$"
| search result="NONCONFORMING"
| eval templateType=`macro_template`
| where result="NONCONFORMING"
| stats count by teamInCharge templateType date
| eval teamInCharge=teamInCharge." : ".count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try pulling the date out of the _time field and stripping out everything that isn't those two dates.
You will need to set your earliest/lasted to be outside of your 2 date ranges for it to work.
Then If you add the date to your stats you can use a Trellis split by date to get your two charts
index="compliance_sum"
| eval date = strftime(_time,"%d/%m/%Y")
| search date=Date1 OR date=Date2
| table name result ruleName
| appendpipe
[ lookup netshot.csv Nom as name OUTPUT "Infrastrucure Name" teamInCharge]
| table name result ruleName "$infraname$" teamInCharge
| search "Infrastrucure Name"="FRA-SWING"
| search teamInCharge="$team$"
| search result="NONCONFORMING"
| eval templateType=`macro_template`
| where result="NONCONFORMING"
| stats count by teamInCharge templateType date
| eval teamInCharge=teamInCharge." : ".count
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
