Dashboards & Visualizations

Can you help me generate a graph?

sagar1992
Explorer

My logs are like below:

{
    "message": "Rejected IDoc : 251387181",
    "severity": "INFO",
    "corelationid": "251387181",
    "flowName": "Starting_point_:_amplify-get-Flow",
    "MessageType": "grdproductapi",
    "event": "Receive"
}

{
    "message": "Rejected IDoc : 251387182",
    "severity": "INFO",
    "corelationid": "251387182",
    "flowName": "Starting_point_:_amplify-get-Flow",
    "MessageType": "grdproductapi",
    "event": "Receive"
}

{
    "message": "<?xml version='1.0' encoding='UTF-8'?>

    <IntermediateDocument>
        <ControlStructure>
            <NameofTableStructure>XYZ</NameofTableStructure>
            <Client>2</Client>
            <IDocnumber>XYZ</IDocnumber>
            <SAPReleaseforIDoc>XYZ</SAPReleaseforIDoc>
            <StatusofIDoc>XYZ</StatusofIDoc>
            <Direction>1</Direction>
            <Outputmode>4</Outputmode>
            <Nameofbasictype>XYZ</Nameofbasictype>
            <Extension>XYZ</Extension>
            <Messagetype>XYZ</Messagetype>
            <Senderport>XYZ</Senderport>
            <Partnertypeofsender>XYZ</Partnertypeofsender>
            <PartnerNumberofSender>XYZ</PartnerNumberofSender>
            <Receiverport>XYZ</Receiverport>
            <PartnertypeofReceiver>XYZ</PartnertypeofReceiver>
            <PartnerNumberofReceiver>MULESOFT_T</PartnerNumberofReceiver>
            <Createdon>XYZ</Createdon>
            <Createdat>XYZ</Createdat>
            <Serialization>XYZ</Serialization>
        </ControlStructure>
    </IntermediateDocument>
"
    "severity": "INFO",
    "corelationid": "251387181",
    "flowName": "Starting_point_:_amplify-get-Flow",
    "MessageType": "XYZ",
    "event": "Receive"
}

Query i am using is like below:

index="test_mulesoft"  source="SAP-GRD" IDocnumber OR Rejected | rex field=_raw "(?(\w+))<\/IDocnumber>" | rex field=_raw "Rejected IDoc : (?(\w+))" | eval TotalIdocsReceived = if (IdocsReceived != "","true","false"), TotalIdocsRejected = if (IdocsRejected != "","true","false") | table TotalIdocsReceived,TotalIdocsRejected | stats count(eval(TotalIdocsReceived == "true")) as TotalIdocsReceived, count(eval(TotalIdocsRejected == "true")) as TotalIdocsRejected

After which, I get a table like below:

TotalIdocsReceived  TotalIdocsRejected
8                       8

But, when I click on the visualization, it generates something like below.

I need 2 bars representing counts for TotalIdocsReceived and TotalIdocsRejected. I have gone through several tutorials, not have not been able to find the solution. alt text

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Just add this:

| transpose column_name=which
| rename "row 1" AS count

View solution in original post

0 Karma

woodcock
Esteemed Legend

Just add this:

| transpose column_name=which
| rename "row 1" AS count
0 Karma

sagar1992
Explorer

@woodcock Thanks a lot. You saved my HOURS.
Thank you so much.

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...