I need help in making the pie chart and put two pie's in it with one as success_transaction and other as error_transaction, when i am doing it, it is showing consolidated data with service name, also i would need to put count inside those pie's and provide a Y Axis title wiht those fields names,
i was using this query, please help me into solving this problem
index="aio" Environment="POD" Appid="APP-53" ("Invokema : call() :") OR ("exception" OR level="ERROR" NOT "NOT RACT" NOT H0 NOT "N is null" NOT "[null" NOT "lid N")
| rex field=_raw "00\s(?<service_name>\w+)-pod"
| rex field=_raw "]\s(?<valid_by>.*?)\s\:\scall()"
| eval success_flag = if(valid_by="Invokema", 1,0)
| fillnull validate_by value=null
| fillnull service_name value=nservice
| eval error_flag = if(valid_by="null", 1,0)
| stats sum(success_flag) as Success_Transaction, sum(error_flag) as Error_Transaction by service_name
you help will be appreciated.
club the success and Error under a single field say "results" or "action" and then you should be able to get the 2 values in a pie chart.
You can't put two datasets into a single pie chart when split by service_name as you have 2 lots of 100% (errors and success).
You can show this as a trellis view, which will then show two pie charts, one for success and the other for errors.
cant we update this query in some way to get both the results in one pie, when using trells it is giving two piechart, which is not helpful.
If you think of the data that is needed for a pie chart, you need
Service Success Fail
service 1 200 2
service 2 400 17
service 3 600 44
so the pie chart will only show 3 segments for Success, service 1 is approx 16% of the pie, service 2 is 33% and service 3 is 50%
So, if you put Failures into the pie, how are you expecting to visualise that, as you would then get 6 segments, 2 for each service, one large one with successes and one small one with failures.
Now Success is just a column of numbers and Service 1 failures is (2/1263*100), so approx 0.15% which is too small a slice to show on the pie chart. Splunk by default will aggregate small slices.
You can mangle data in any way you want in Splunk to get where you want to get to.
Could you help me to make only 2 slices with only success and failures as i will not be needing services column, it is only working on one service and just providing name for the need of bargraph, we wont be needing service name, it is not useful , i just need success and failure in piechart
Just make status indicate success of fail and then do this
...
| fillnull validate_by value=null
| eval status = case(valid_by="Invokema", 1,valid_by="null", 0, true(), -1)
| stats count by status