https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529116#M149388 <P>In what way didn't it work? No result? Incorrect results? host missing?</P><P>Are these event similar, just in different indexes? Can you use:</P><LI-CODE lang="markup">search index=index1 OR index=index2 host=* source=*logs* username sourcetype=* | rex "user\":\"(?&lt;user&gt;[^\"]+)" | stats count by user</LI-CODE><P>or&nbsp;</P><LI-CODE lang="markup">| stats values(index) as index count by user</LI-CODE><P>&nbsp;or</P><LI-CODE lang="markup">| stats count by user index</LI-CODE> Thu, 12 Nov 2020 10:36:11 GMT ITWhisperer 2020-11-12T10:36:11Z https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529105#M149383 <P>I want to create two pie chart each based upon the value of index I am choosing. using below two queries</P><P>&nbsp;</P><P>1. index = index1 host=.......| ...</P><P>2. index=index2 host=....|</P><P>then i want to include both of these pie charts into the same report so that I can send them as alert in the same mail. How can I do that ? tried append and multi search but didnt help.</P> Thu, 12 Nov 2020 09:38:23 GMT https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529105#M149383 avneet26 2020-11-12T09:38:23Z https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529111#M149385 <P>Can you be a bit more specific about what you tried and why it didn't work? Append and multiple searches sound like they would normally solve the problem, so without further information, it is difficult to advise.</P> Thu, 12 Nov 2020 10:04:00 GMT https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529111#M149385 ITWhisperer 2020-11-12T10:04:00Z https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529114#M149386 <P>search index= index1<BR />host=*<BR />source=*logs* username<BR />sourcetype=* | rex "user\":\"(?&lt;user&gt;[^\"]+)" | stats count by user] |<BR />append [search index= index2<BR />host=*<BR />source=*logs* user<BR />sourcetype=* | rex "user\":\"(?&lt;user&gt;[^\"]+)" | stats count by user]</P><P>&nbsp;</P><P>this didnt work for me</P> Thu, 12 Nov 2020 10:27:38 GMT https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529114#M149386 avneet26 2020-11-12T10:27:38Z https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529116#M149388 <P>In what way didn't it work? No result? Incorrect results? host missing?</P><P>Are these event similar, just in different indexes? Can you use:</P><LI-CODE lang="markup">search index=index1 OR index=index2 host=* source=*logs* username sourcetype=* | rex "user\":\"(?&lt;user&gt;[^\"]+)" | stats count by user</LI-CODE><P>or&nbsp;</P><LI-CODE lang="markup">| stats values(index) as index count by user</LI-CODE><P>&nbsp;or</P><LI-CODE lang="markup">| stats count by user index</LI-CODE> Thu, 12 Nov 2020 10:36:11 GMT https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529116#M149388 ITWhisperer 2020-11-12T10:36:11Z https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529118#M149389 <P>it didnt give any results. my concern is how can I generate two different pie charts using these two searches and those two pie charts should be different based on index values(one for index1 other for index2)</P> Thu, 12 Nov 2020 10:40:37 GMT https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529118#M149389 avneet26 2020-11-12T10:40:37Z https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529119#M149390 <P>Sorry, I misunderstood, I thought you were trying to use two indexes in the same chart. The chart is <U>a</U> visualisation of the results of <U>a</U> query. I don't think there is a standard pie chart visualisation that produces multiple charts. Perhaps you should submit this as an improvement request.</P> Thu, 12 Nov 2020 10:48:25 GMT https://community.splunk.com/t5/Splunk-Search/piechart/m-p/529119#M149390 ITWhisperer 2020-11-12T10:48:25Z