Dashboards & Visualizations

Pie chart creation using multiple KPIs

New Member

Hi,

I am new to Splunk dashboard development, so far I am creating KPI's using just 'single value'.

I have three KPI's that resulted in 600, 250, 150.

KPI 1 search expression - Result is 600 (example)

index=indexname kubernetes.container_name=name1
MESSAGE = "*search for code1*"
| spath output=msg path=MSG
| table _time msg
| stats count as count1

KPI 2 search expression - Result is 250 (example)

index=indexname kubernetes.container_name=name2
MESSAGE = "*search for code2*"
| spath output=msg path=MSG
| table _time msg
| stats count as count2

KPI 3 search expression - Result is 150 (example)

index=indexname kubernetes.container_name=name3
MESSAGE = "*search for code3*"
| spath output=msg path=MSG
| table _time msg
| stats count as count3

I have shown above KPI's as numbers in the dashboard. However, I would like show a pie chart with 60%, 25% and 15% share for above numbers. Could you anyone please help me what would be search expression to create this chart?

Thanks in advance.
Raju

0 Karma
1 Solution

hi @rajusalmon1 ,

Add the below query to your dashboard, and select pie chart visualization from the option.

index=indexname kubernetes.container_name=name
MESSAGE IN ("search for code1","search for code2","search for code3")
| spath output=msg path=MSG
| table _time msg
| stats count by MESSAGE

accept & up-vote the answer if it helps.

View solution in original post

0 Karma

New Member

We are trying log the info with extra field that will solve the issue.

0 Karma

hi @rajusalmon1 ,

Add the below query to your dashboard, and select pie chart visualization from the option.

index=indexname kubernetes.container_name=name
MESSAGE IN ("search for code1","search for code2","search for code3")
| spath output=msg path=MSG
| table _time msg
| stats count by MESSAGE

accept & up-vote the answer if it helps.

View solution in original post

0 Karma

try the below query,

index=nonprod kubernetes.container_name IN ("tpt", "rsv", "rsw") MESSAGE IN ("Code request", "pin in email", "pin in sms")
| spath output=msg path=MESSAGE 
| table msg 
| stats count
0 Karma

New Member

No luck, returning 0 results. Thank for your help, we are trying log the info with extra field that will solve the issue.

0 Karma

can you provide one json event sample

0 Karma

New Member

I have tried to join like below

index=nonprod kubernetes.containername=tpt MESSAGE = "Code request" | spath output=msg path=MESSAGE | table msg
| join msg [search index=nonprod kubernetes.container
name=rsv MESSAGE = "pin in email" | spath output=msg path=MESSAGE | table msg]
| join msg [search index=nonprod kubernetes.container_name=rsw MESSAGE = "pin in sms" | spath output=msg path=MESSAGE | table msg]
| stats count

But it results 600 only.

0 Karma

New Member

If I run below 3 queries separately result is (600,250,150) , I would need to join them and make a pie chart.

index=nonprod kubernetes.container_name=tpt MESSAGE = "Code request"
| spath output=msg path=MESSAGE
| table msg
| stats count

index=nonprod kubernetes.container_name=rsv MESSAGE = "pin in email"
| spath output=msg path=MESSAGE
| table msg
| stats count

index=nonprod kubernetes.container_name=rsw MESSAGE = "pin in sms"
| spath output=msg path=MESSAGE
| table msg
| stats count

0 Karma

New Member

Thank you gaurav. Sorry, I forgot to mention in actaul question that kubernetes.container_name is different for all 3 queries. Could you please let me know if it works in the same manner?

0 Karma