Dashboards & Visualizations

Display latest data

thaara
Explorer

Hi Splunkers,

 

We have two slices in a pie chart. This is for deployment. One is for Successful log and another is for failure log. We are checking for the count for successful and failure logs. Consider, we have 10 successful log and 2 failure logs. Those two failure logs details have been analysed and deployments have happened and it got reflected in successful log as well, so that the overall count is 12 successful logs and 2 failure logs. Even though we have deployed the failed labels and those are reflecting fine in successful log slice, the same failure log is coming in failure log as well which is making mismatch in the original count. Is there any way to have the latest data alone in the pie chart.

 

Please note, we have pie chart and we are having two slices -> deployment success and deployment failure

Labels (1)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
Please share the search you are using to create the pie chart.
---
If this reply helps you, an upvote would be appreciated.
0 Karma

thaara
Explorer

@richgalloway Please find the query below. 

index=XXX sourcetype=YYY source=*deploy_status.list host=ABC OR host=DEF
| stats count by Deploy_Status

 

FYI, we have given field extractions for the comma delimiters

Output  for this log is as below

ABC,project/env,7654321,jenkins-111111.mnopqrs.int-554@abc,Deployment_Failed
ABC,project/env,7654321,jenkins-121211.qwertyui.int-560,Deployment_Successful

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

one way is to use dedup with sortby option to get the latest/newest event only. 
r. Ismo

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's possible to consider only the latest events, but there needs to be a field that distinguishes one set of failed/success events from another.  I'm assuming that's the field with the value 7654321 in the sample logs.

index=XXX sourcetype=YYY source=*deploy_status.list host=ABC OR host=DEF
| rex "([^,]+?,){2}(?<id>\d+)"
| dedup id
| stats count by Deploy_Status

The dedup command takes the most recent event with an unseen value in the given field.   If the id field is already extracted (perhaps by another name) then you can remove the rex command and update dedup.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!