Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Display latest data

thaara
Explorer
‎07-28-2020 04:28 AM

Hi Splunkers,

 

We have two slices in a pie chart. This is for deployment. One is for Successful log and another is for failure log. We are checking for the count for successful and failure logs. Consider, we have 10 successful log and 2 failure logs. Those two failure logs details have been analysed and deployments have happened and it got reflected in successful log as well, so that the overall count is 12 successful logs and 2 failure logs. Even though we have deployed the failed labels and those are reflecting fine in successful log slice, the same failure log is coming in failure log as well which is making mismatch in the original count. Is there any way to have the latest data alone in the pie chart.

 

Please note, we have pie chart and we are having two slices -> deployment success and deployment failure

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2020 05:41 AM
Please share the search you are using to create the pie chart.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

thaara
Explorer
‎07-28-2020 06:32 AM

@richgalloway Please find the query below. 

index=XXX sourcetype=YYY source=*deploy_status.list host=ABC OR host=DEF
| stats count by Deploy_Status

 

FYI, we have given field extractions for the comma delimiters

Output  for this log is as below

ABC,project/env,7654321,jenkins-111111.mnopqrs.int-554@abc,Deployment_Failed
ABC,project/env,7654321,jenkins-121211.qwertyui.int-560,Deployment_Successful

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-28-2020 06:52 AM

Hi

one way is to use dedup with sortby option to get the latest/newest event only. 
r. Ismo

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2020 06:48 AM

It's possible to consider only the latest events, but there needs to be a field that distinguishes one set of failed/success events from another.  I'm assuming that's the field with the value 7654321 in the sample logs.

index=XXX sourcetype=YYY source=*deploy_status.list host=ABC OR host=DEF
| rex "([^,]+?,){2}(?<id>\d+)"
| dedup id
| stats count by Deploy_Status

The dedup command takes the most recent event with an unseen value in the given field.   If the id field is already extracted (perhaps by another name) then you can remove the rex command and update dedup.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...