Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I get multiple output in one cell and upon clicking the output, it should show logs in a table below. Below is t

thatsabhijeet
Explorer
‎01-21-2022 11:44 PM

How can I get multiple output in one cell and upon clicking the output, it should show logs in a table below.
Below is the format.

statuscode for success =100, statuscode for warning = 200, statuscode for failure=300

 Country1Country2Country3
Application1Success - #count_value
Warning - #count_value
Failure - #count_value		Success - #count_value
Warning - #count_value
Failure - #count_value		Success - #count_value
Warning - #count_value
Failure - #count_value
Application2Success - #count_value
Warning - #count_value
Failure - #count_value		Success - #count_value
Warning - #count_value
Failure - #count_value		Success - #count_value
Warning - #count_value
Failure - #count_value
Application3Success - #count_value
Warning - #count_value
Failure - #count_value		Success - #count_value
Warning - #count_value
Failure - #count_value		Success - #count_value
Warning - #count_value
Failure - #count_value
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-22-2022 02:02 AM

This looks like it might be JSON? So, you field names might be something like this

 

| makeresults count=100
| eval _raw="{\"appName\":\"Application".(random()%3+1)."\",
  \"countryCode\":\"Country".(random()%3+1)."\",
  \"message\":{
  \"countryCode\":\"Country".(random()%3+1)."\",
  \"statusCode\":".100*(1+random()%3)."}
  }
}"
| spath
| stats count by appName countryCode message.statusCode
| eval status=case('message.statusCode'==100,'message.statusCode'." - ".count,'message.statusCode'==200,'message.statusCode'." - ".count,'message.statusCode'==300,'message.statusCode'." - ".count)
| stats values(status) as status by appName countryCode 
| eval status=mvjoin(status,"
")
| eval status=replace(status,"100 -","Success -")
| eval status=replace(status,"200 -","Warning -")
| eval status=replace(status,"300 -","Failure -")
| chart values(status) as status by appName countryCode

 

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-22-2022 12:27 AM 
| makeresults count=100
| eval app="Application".(random()%3+1)
| eval status=100*(1+random()%3)
| eval country="Country".(random()%3+1)
| stats count by app country status
``` the lines above set up some dummy data ```
| eval status=case(status==100,status." - ".count,status==200,status." - ".count,status==300,status." - ".count)
| stats values(status) as status by app country
| eval status=mvjoin(status,"
")
| eval status=replace(status,"100 -","Success -")
| eval status=replace(status,"200 -","Warning -")
| eval status=replace(status,"300 -","Failure -")
| chart values(status) as status by app country
0 Karma
Reply
Solved! Jump to solution

thatsabhijeet
Explorer
‎01-22-2022 01:23 AM

But sir,

If my country names are stored in a field_name as country and application_names are stored in a field_name as applicationName.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-22-2022 01:34 AM

Use your field names as appropriate then! 

If you don't provide real example events etc., we have to make stuff up to demonstrate the solutions, and trust that you can understand the principles, so that you can implement for your specific case.

There are many different users out there and it is the principles which are important in the answers as they can be applied in multiple cases.

0 Karma
Reply
Solved! Jump to solution

thatsabhijeet
Explorer
‎01-22-2022 01:43 AM

Fields in the logs are like this.

thatsabhijeet_0-1642844623912.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-22-2022 02:02 AM

This looks like it might be JSON? So, you field names might be something like this

 

| makeresults count=100
| eval _raw="{\"appName\":\"Application".(random()%3+1)."\",
  \"countryCode\":\"Country".(random()%3+1)."\",
  \"message\":{
  \"countryCode\":\"Country".(random()%3+1)."\",
  \"statusCode\":".100*(1+random()%3)."}
  }
}"
| spath
| stats count by appName countryCode message.statusCode
| eval status=case('message.statusCode'==100,'message.statusCode'." - ".count,'message.statusCode'==200,'message.statusCode'." - ".count,'message.statusCode'==300,'message.statusCode'." - ".count)
| stats values(status) as status by appName countryCode 
| eval status=mvjoin(status,"
")
| eval status=replace(status,"100 -","Success -")
| eval status=replace(status,"200 -","Warning -")
| eval status=replace(status,"300 -","Failure -")
| chart values(status) as status by appName countryCode

 

Reply
Solved! Jump to solution

thatsabhijeet
Explorer
‎01-22-2022 02:40 AM

Sir , How to color the cell background as green, yellow and red according to failure percentage.
Only using splunk code. No external css should be used.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-22-2022 02:53 AM

This sort of question has been asked and answered multiple times. Here is one answer

How to change table cell background color depends on search 

0 Karma
Reply
Solved! Jump to solution

thatsabhijeet
Explorer
‎01-24-2022 12:10 AM

Dear Sir,

I want the colour of the cell according to Failure percentage, i.e. If Failure Percentage>90% then red, Failure percentage 50%-90% as yellow and Failure percentage as 0%-50% as green. Add the values are picked from the multiple value fields.

In the link you have provided, The coloumn  name changes. Hence please provide a new solution.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-25-2022 12:39 AM

You need to calculate the failure percentage and evaluate to given the colour you want and append that as the second multivalue

| makeresults count=100
| eval _raw="{\"appName\":\"Application".(random()%3+1)."\",
  \"countryCode\":\"Country".(random()%3+1)."\",
  \"message\":{
  \"countryCode\":\"Country".(random()%3+1)."\",
  \"statusCode\":".100*(1+(floor(log(random()%300))))."}
  }
}"
| spath
| stats count by appName countryCode message.statusCode
| eventstats sum(count) as total by appName countryCode
| eval failures=if('message.statusCode'==300,100*count/total,null())
| eval status=case('message.statusCode'==100,'message.statusCode'." - ".count,'message.statusCode'==200,'message.statusCode'." - ".count,'message.statusCode'==300,'message.statusCode'." - ".count)
| stats values(status) as status values(failures) as failures by appName countryCode 
| eval status=mvjoin(status,"
")
| eval status=replace(status,"100 -","Success -")
| eval status=replace(status,"200 -","Warning -")
| eval status=replace(status,"300 -","Failure -")
| eval failures=case(failures>90,"red",failures>50,"yellow",1==1,"green")
| eval status=mvappend(status,failures)
| chart values(status) as status by appName countryCode
0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top