https://community.splunk.com/t5/Dashboards-Visualizations/Display-latest-data/m-p/511309#M34080 <P>Hi Splunkers,</P><P>&nbsp;</P><P>We have two slices in a pie chart. This is for deployment. One is for Successful log and another is for failure log. We are checking for the count for successful and failure logs. Consider, we have 10 successful log and 2 failure logs. Those two failure logs details have been analysed and deployments have happened and it got reflected in successful log as well, so that the overall count is 12 successful logs and 2 failure logs. Even though we have deployed the failed labels and those are reflecting fine in successful log slice, the same failure log is coming in failure log as well which is making mismatch in the original count. Is there any way to have the latest data alone in the pie chart.</P><P>&nbsp;</P><P>Please note, we have pie chart and we are having two slices -&gt; deployment success and deployment failure</P> Tue, 28 Jul 2020 11:28:43 GMT thaara 2020-07-28T11:28:43Z https://community.splunk.com/t5/Dashboards-Visualizations/Display-latest-data/m-p/511309#M34080 <P>Hi Splunkers,</P><P>&nbsp;</P><P>We have two slices in a pie chart. This is for deployment. One is for Successful log and another is for failure log. We are checking for the count for successful and failure logs. Consider, we have 10 successful log and 2 failure logs. Those two failure logs details have been analysed and deployments have happened and it got reflected in successful log as well, so that the overall count is 12 successful logs and 2 failure logs. Even though we have deployed the failed labels and those are reflecting fine in successful log slice, the same failure log is coming in failure log as well which is making mismatch in the original count. Is there any way to have the latest data alone in the pie chart.</P><P>&nbsp;</P><P>Please note, we have pie chart and we are having two slices -&gt; deployment success and deployment failure</P> Tue, 28 Jul 2020 11:28:43 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Display-latest-data/m-p/511309#M34080 thaara 2020-07-28T11:28:43Z https://community.splunk.com/t5/Dashboards-Visualizations/Display-latest-data/m-p/511323#M34083 Please share the search you are using to create the pie chart. Tue, 28 Jul 2020 12:41:52 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Display-latest-data/m-p/511323#M34083 richgalloway 2020-07-28T12:41:52Z https://community.splunk.com/t5/Dashboards-Visualizations/Display-latest-data/m-p/511334#M34086 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;Please find the query below.&nbsp;</P><P>index=XXX sourcetype=YYY source=*deploy_status.list host=ABC OR host=DEF<BR />| stats count by Deploy_Status</P><P>&nbsp;</P><P>FYI, we have given field extractions for the comma delimiters</P><P>Output&nbsp; for this log is as below</P><P>ABC,project/env,7654321,jenkins-111111.mnopqrs.int-554@abc,Deployment_Failed<BR />ABC,project/env,7654321,jenkins-121211.qwertyui.int-560,Deployment_Successful</P> Tue, 28 Jul 2020 13:32:40 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Display-latest-data/m-p/511334#M34086 thaara 2020-07-28T13:32:40Z https://community.splunk.com/t5/Dashboards-Visualizations/Display-latest-data/m-p/511339#M34087 <P>It's possible to consider only the latest events, but there needs to be a field that distinguishes one set of failed/success events from another.&nbsp; I'm assuming that's the field with the value 7654321 in the sample logs.</P><LI-CODE lang="markup">index=XXX sourcetype=YYY source=*deploy_status.list host=ABC OR host=DEF | rex "([^,]+?,){2}(?&lt;id&gt;\d+)" | dedup id | stats count by Deploy_Status</LI-CODE><P>The <FONT face="courier new,courier">dedup</FONT> command takes the most recent event with an unseen value in the given field.&nbsp; &nbsp;If the id field is already extracted (perhaps by another name) then you can remove the <FONT face="courier new,courier">rex</FONT> command and update <FONT face="courier new,courier">dedup</FONT>.</P> Tue, 28 Jul 2020 13:48:01 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Display-latest-data/m-p/511339#M34087 richgalloway 2020-07-28T13:48:01Z https://community.splunk.com/t5/Dashboards-Visualizations/Display-latest-data/m-p/511344#M34088 <P>Hi</P><P>one way is to use dedup with sortby option to get the latest/newest event only.&nbsp;<BR />r. Ismo</P> Tue, 28 Jul 2020 13:52:19 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Display-latest-data/m-p/511344#M34088 isoutamo 2020-07-28T13:52:19Z