Dashboards & Visualizations

Dashboard SPL

phanikumarcs
Explorer

HIi @ITWhisperer 
index=foo sourcetype=json_foo source="az-foo"
|rename tags.envi as env
|search env="*A00001*" OR env="*A00002*" OR env="*A00005*" OR env="*A00020*"
|table env

from the fields i am using:
env="*A00001*" as "PBC"
env="*A00002*" as "PBC"
env="*A00005*" as "KCG
env="*A00020*" as "TTK"

reference:

phanikumarcs_0-1707930080512.png

 



From this SPL, i am trying to create a table like
------------------------------------------------------
PBC           |            KCG           |           TTK
-------------------------------------------------------
all values       all values                 all values
count                count                       count


 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=foo sourcetype=json_foo source="az-foo"
|rename tags.envi as env
|search env="*A00001*" OR env="*A00002*" OR env="*A00005*" OR env="*A00020*"
|stats count by env
|eval env=case(match(env,"A00001"),"PBC",match(env,"A00002"),"PBC",match(env,"A00005"),"KCG",match(env,"A00020"),"TTK",true(),env)

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do you mean something like this

index=foo sourcetype=json_foo source="az-foo"
|rename tags.envi as env
|search env="*A00001*" OR env="*A00002*" OR env="*A00005*" OR env="*A00020*"
|stats count by env
0 Karma

phanikumarcs
Explorer

@ITWhisperer No, i mean like, i tried already as you suggested.

From below said, under field PBC the field values comes under A00001, A00002 so for same other KCG and TTK as well, so these can show up in the table like above. 

env="*A00001*" as "PBC"

env="*A00002*" as "PBC"

env="*A00005*" as "KCG

env="*A00020*" as "TTK"

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=foo sourcetype=json_foo source="az-foo"
|rename tags.envi as env
|search env="*A00001*" OR env="*A00002*" OR env="*A00005*" OR env="*A00020*"
|stats count by env
|eval env=case(match(env,"A00001"),"PBC",match(env,"A00002"),"PBC",match(env,"A00005"),"KCG",match(env,"A00020"),"TTK",true(),env)
0 Karma

phanikumarcs
Explorer

@ITWhisperer thanks for the solution, i did little changes as per my desired results.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...