Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Concatenate field and count to display label in pie chart

philallen1
Path Finder
‎09-30-2013 08:10 AM

Hi

This is my query:

Username="*"   | top limit=10000 Username

This gives me a table with many rows, where the first row looks like this:

Username               count    percent
Vivek Lamba (lambav)   607      10.483592

I then view this data using a Pie Chart in my Dashboard.

Currently the labels on the pie chart only display the Username. How can I change my query so that the labels display:
"Username - count"
(i.e. "Vivek Lamba (lambav) - 607")

I've tried adding in an eval command like so:

Username="*"   |  eval UserPlusCount = Username + "-" + count | top limit=10000 UserPlusCount

...but I get 'No results found"

What am I doing wrong?

Thanks

0 Karma
Reply

gun1989
New Member
‎03-22-2016 12:21 AM

Hi Can we add a dynamic result to a header ?

0 Karma
Reply

gfuente
Motivator
‎09-30-2013 08:15 AM

Hello

try this:

...|  eval UserPlusCount = Username. "-". count |...

If it doesnt works, rename the count as other field

Regards

Reply

philallen1
Path Finder
‎09-30-2013 08:42 AM

Sorry I'm new to Splunk. How would the full query look? When I remove the 'top' piece of the query it breaks altogether. What should I replace it with?

Username="*" | stats count as Username by myfield | eval UserPlusCount = Username. "-". myfield | ...(i.e. what should go here)...

Thanks

0 Karma
Reply

gfuente
Motivator
‎09-30-2013 08:23 AM

try:

Instead of top, use: ... | stats count as myfield by Username | eval UserPlusCount = Username. "-". myfield |...

EDIT: Now I noticed, you have to do the eval after the top command, then you have the count field, and you can use it in the eval.

0 Karma
Reply

philallen1
Path Finder
‎09-30-2013 08:21 AM

I just tried:

Username="*" | eval UserPlusCount = Username. "-". Username| top limit=10000 UserPlusCount

And that did bring back data in a table like so:

Vivek Lamba (lambav) - Vivek Lamba (lambav) 607 10.483592

However, when I change "Username" to "count" it doesn't work at all! Any ideas?

0 Karma
Reply

philallen1
Path Finder
‎09-30-2013 08:19 AM

Hi gfuente - thanks for you're unbelievably quick reply.

I tried this:
Username="*" | eval UserPlusCount = Username. "-". count | top limit=10000 UserPlusCount
as you suggested and it didn't work. "No results found"

What do you mean by:
"rename the count as other field"?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...