I am using this as a reference:
https://answers.splunk.com/answers/470198/how-to-create-a-multistage-sankey-diagram-with-a-s.html
I am trying to build a sankey diagram to map requests from source to a status (in this case action = success or failure):
index=win* | stats count by src dest action
| appendpipe [stats count by src dest | rename src as source, dest AS target]
| appendpipe [stats count by dest action | rename dest as source, action AS target]
But the problem is that it gives me a count of the actions (which there are only 2 possible actions), and not an actual count
So the original search:
index=win* | stats count by src dest action
gives me a table like:
src | dest | action | count
ip1 srv1 failure 218
ip1 srv1 success 300
ip1 srv2 failure 1579
ip1 srv2 success 216
ip2 srv1 failure 1418
ip2 srv1 success 141
ip2 srv2 failure 97
ip2 srv2 success 1031
(there would be 8 combinations)
But the appendpipe to create the sankey:
| appendpipe
[stats count by src dest
| rename src as source, dest AS target]
| appendpipe
[stats count by dest action
| rename dest as source, action AS target]
| search source=*
| fields source target count
gives me a table like:
source | target | count
ip1 srv1 2
ip1 srv2 2
ip2 srv1 2
ip2 srv2 1
srv1 action1 2
srv1 action2 2
srv2 action1 2
srv2 action 2 2
↧