I am new to Splunk dashboard development, so far I am creating KPI's using just 'single value'.
I have three KPI's that resulted in 600, 250, 150.
KPI 1 search expression - Result is 600 (example)
index=indexname kubernetes.container_name=name1
MESSAGE = "*search for code1*"
| spath output=msg path=MSG
| table _time msg
| stats count as count1
KPI 2 search expression - Result is 250 (example)
index=indexname kubernetes.container_name=name2
MESSAGE = "*search for code2*"
| spath output=msg path=MSG
| table _time msg
| stats count as count2
KPI 3 search expression - Result is 150 (example)
index=indexname kubernetes.container_name=name3
MESSAGE = "*search for code3*"
| spath output=msg path=MSG
| table _time msg
| stats count as count3
I have shown above KPI's as numbers in the dashboard. However, I would like show a pie chart with 60%, 25% and 15% share for above numbers. Could you anyone please help me what would be search expression to create this chart?
Thanks in advance.
hi @rajusalmon1 ,
Add the below query to your dashboard, and select pie chart
visualization from the option.
index=indexname kubernetes.container_name=name
MESSAGE IN ("search for code1","search for code2","search for code3")
| spath output=msg path=MSG
| table _time msg
| stats count by MESSAGE
accept & up-vote the answer if it helps.
We are trying log the info with extra field that will solve the issue.
hi @rajusalmon1 ,
Add the below query to your dashboard, and select pie chart
visualization from the option.
index=indexname kubernetes.container_name=name
MESSAGE IN ("search for code1","search for code2","search for code3")
| spath output=msg path=MSG
| table _time msg
| stats count by MESSAGE
accept & up-vote the answer if it helps.
try the below query,
index=nonprod kubernetes.container_name IN ("tpt", "rsv", "rsw") MESSAGE IN ("Code request", "pin in email", "pin in sms")
| spath output=msg path=MESSAGE
| table msg
| stats count
No luck, returning 0 results. Thank for your help, we are trying log the info with extra field that will solve the issue.
can you provide one json event sample
I have tried to join like below
index=nonprod kubernetes.container_name=tpt MESSAGE = "Code request" | spath output=msg path=MESSAGE | table msg
| join msg [search index=nonprod kubernetes.container_name=rsv MESSAGE = "pin in email" | spath output=msg path=MESSAGE | table msg]
| join msg [search index=nonprod kubernetes.container_name=rsw MESSAGE = "pin in sms" | spath output=msg path=MESSAGE | table msg]
| stats count
But it results 600 only.
If I run below 3 queries separately result is (600,250,150) , I would need to join them and make a pie chart.
index=nonprod kubernetes.container_name=tpt MESSAGE = "Code request"
| spath output=msg path=MESSAGE
| table msg
| stats count
index=nonprod kubernetes.container_name=rsv MESSAGE = "pin in email"
| spath output=msg path=MESSAGE
| table msg
| stats count
index=nonprod kubernetes.container_name=rsw MESSAGE = "pin in sms"
| spath output=msg path=MESSAGE
| table msg
| stats count
Thank you gaurav. Sorry, I forgot to mention in actaul question that kubernetes.container_name is different for all 3 queries. Could you please let me know if it works in the same manner?