https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469729#M132181 <P>Replace everything above the comment with the SPL you use to input data from your log file. For example,</P> <PRE><CODE>sourcetype=sourcetype1 source=*.log | rex field=_raw "(\w+\-\d+)\,(\w+)\,(\d+)\,(\w+),(?&lt;Status&gt;\w+.*)" | stats count by Status </CODE></PRE> Tue, 02 Jun 2020 17:26:41 GMT richgalloway 2020-06-02T17:26:41Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469723#M132175 <P>Hi Splunkers,</P> <P>Please guide us on the requirement below:</P> <P><STRONG>Input:</STRONG></P> <PRE><CODE>server, env, req no, input field,status host-1,PROD,1666680,mobile1,Deployment_Successful host-1,PROD,1666680,mobile2,Deployment_failed host-1,PROD,1666680,mobile3,exception host-1,PROD,1666001,mobile1,Deployment_Successful host-1,PROD,1666601,mobile2,Deployment_failed host-1,PROD,16666801,mobile3,exception </CODE></PRE> <P><STRONG>Expected output:</STRONG> Pie chart with status count</P> <P><STRONG>My trial:</STRONG></P> <PRE><CODE>sourcetype=sourcetype1 source=*.log | rex field=_raw "(?\w+\-\d+)\,(?\w+\/\w+)\,(?\d+)\,(?\w+)\,,(?\w+.*)" | stats count by Status </CODE></PRE> <P>The above search is not showing the count if the log has different statuses. Kindly help to guide on this.</P> Mon, 08 Jun 2020 18:08:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469723#M132175 thaara 2020-06-08T18:08:50Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469724#M132176 <P>Please edit your question to correct the <CODE>rex</CODE> command. Also, please share your results and the desired output.</P> Mon, 01 Jun 2020 17:51:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469724#M132176 richgalloway 2020-06-01T17:51:04Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469725#M132177 <P>sourcetype=sourcetype1 source=<EM>.log | rex field=_raw "(?\w+-\d+)\,(?\w+\/\w+)\,(?\d+)\,(?\w+)\,(?\w+.</EM>)" | stats count by Status</P> <P>Output am getting as NONE in pie chart view.</P> <P>please note: If i have only one kind of status example as "deployment_successful" in my log, I can seethe count, but if there are different statuses, I cannot create a pie chart</P> Mon, 01 Jun 2020 18:02:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469725#M132177 thaara 2020-06-01T18:02:22Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469726#M132178 <P>Your regular expression (rex command) doesn't match the data. </P> Mon, 01 Jun 2020 19:48:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469726#M132178 richgalloway 2020-06-01T19:48:08Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469727#M132179 <P>Try this run-anywhere example, which displays a pie chart with 3 segments.</P> <PRE><CODE>| makeresults | eval _raw="host-1,PROD,1666680,mobile1,Deployment_Successful| host-1,PROD,1666680,mobile2,Deployment_failed| host-1,PROD,1666680,mobile3,exception| host-1,PROD,1666001,mobile1,Deployment_Successful| host-1,PROD,1666601,mobile2,Deployment_failed| host-1,PROD,16666801,mobile3,exception" | eval _raw=split(_raw, "|") | mvexpand _raw `comment("All of the above just sets up test data")` | rex field=_raw "(\w+\-\d+)\,(\w+)\,(\d+)\,(\w+),(?&lt;Status&gt;\w+.*)" | stats count by Status </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9024i709180A72A955080/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 01 Jun 2020 19:52:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469727#M132179 richgalloway 2020-06-01T19:52:08Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469728#M132180 <P>@richgalloway <BR /> I want to take input data from a log file instead of giving input in my query. Kindly help on that.</P> Tue, 02 Jun 2020 16:35:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469728#M132180 thaara 2020-06-02T16:35:14Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469729#M132181 <P>Replace everything above the comment with the SPL you use to input data from your log file. For example,</P> <PRE><CODE>sourcetype=sourcetype1 source=*.log | rex field=_raw "(\w+\-\d+)\,(\w+)\,(\d+)\,(\w+),(?&lt;Status&gt;\w+.*)" | stats count by Status </CODE></PRE> Tue, 02 Jun 2020 17:26:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-fields-and-create-a-pie-chart-of-status-count/m-p/469729#M132181 richgalloway 2020-06-02T17:26:41Z