Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Display latest data

thaara
Explorer
‎07-28-2020 04:28 AM

Hi Splunkers,

 

We have two slices in a pie chart. This is for deployment. One is for Successful log and another is for failure log. We are checking for the count for successful and failure logs. Consider, we have 10 successful log and 2 failure logs. Those two failure logs details have been analysed and deployments have happened and it got reflected in successful log as well, so that the overall count is 12 successful logs and 2 failure logs. Even though we have deployed the failed labels and those are reflecting fine in successful log slice, the same failure log is coming in failure log as well which is making mismatch in the original count. Is there any way to have the latest data alone in the pie chart.

 

Please note, we have pie chart and we are having two slices -> deployment success and deployment failure

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2020 05:41 AM
Please share the search you are using to create the pie chart.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

thaara
Explorer
‎07-28-2020 06:32 AM

@richgalloway Please find the query below. 

index=XXX sourcetype=YYY source=*deploy_status.list host=ABC OR host=DEF
| stats count by Deploy_Status

 

FYI, we have given field extractions for the comma delimiters

Output  for this log is as below

ABC,project/env,7654321,jenkins-111111.mnopqrs.int-554@abc,Deployment_Failed
ABC,project/env,7654321,jenkins-121211.qwertyui.int-560,Deployment_Successful

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-28-2020 06:52 AM

Hi

one way is to use dedup with sortby option to get the latest/newest event only. 
r. Ismo

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2020 06:48 AM

It's possible to consider only the latest events, but there needs to be a field that distinguishes one set of failed/success events from another.  I'm assuming that's the field with the value 7654321 in the sample logs.

index=XXX sourcetype=YYY source=*deploy_status.list host=ABC OR host=DEF
| rex "([^,]+?,){2}(?<id>\d+)"
| dedup id
| stats count by Deploy_Status

The dedup command takes the most recent event with an unseen value in the given field.   If the id field is already extracted (perhaps by another name) then you can remove the rex command and update dedup.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...