Dashboards & Visualizations

Pie chart creation using multiple KPIs

rajusalmon1
New Member

Hi,

I am new to Splunk dashboard development, so far I am creating KPI's using just 'single value'.

I have three KPI's that resulted in 600, 250, 150.

KPI 1 search expression - Result is 600 (example)

index=indexname kubernetes.container_name=name1
MESSAGE = "*search for code1*"
| spath output=msg path=MSG
| table _time msg
| stats count as count1

KPI 2 search expression - Result is 250 (example)

index=indexname kubernetes.container_name=name2
MESSAGE = "*search for code2*"
| spath output=msg path=MSG
| table _time msg
| stats count as count2

KPI 3 search expression - Result is 150 (example)

index=indexname kubernetes.container_name=name3
MESSAGE = "*search for code3*"
| spath output=msg path=MSG
| table _time msg
| stats count as count3

I have shown above KPI's as numbers in the dashboard. However, I would like show a pie chart with 60%, 25% and 15% share for above numbers. Could you anyone please help me what would be search expression to create this chart?

Thanks in advance.
Raju

0 Karma
1 Solution

gaurav_maniar
Builder

hi @rajusalmon1 ,

Add the below query to your dashboard, and select pie chart visualization from the option.

index=indexname kubernetes.container_name=name
MESSAGE IN ("search for code1","search for code2","search for code3")
| spath output=msg path=MSG
| table _time msg
| stats count by MESSAGE

accept & up-vote the answer if it helps.

View solution in original post

0 Karma

rajusalmon1
New Member

We are trying log the info with extra field that will solve the issue.

0 Karma

gaurav_maniar
Builder

hi @rajusalmon1 ,

Add the below query to your dashboard, and select pie chart visualization from the option.

index=indexname kubernetes.container_name=name
MESSAGE IN ("search for code1","search for code2","search for code3")
| spath output=msg path=MSG
| table _time msg
| stats count by MESSAGE

accept & up-vote the answer if it helps.

0 Karma

gaurav_maniar
Builder

try the below query,

index=nonprod kubernetes.container_name IN ("tpt", "rsv", "rsw") MESSAGE IN ("Code request", "pin in email", "pin in sms")
| spath output=msg path=MESSAGE 
| table msg 
| stats count
0 Karma

rajusalmon1
New Member

No luck, returning 0 results. Thank for your help, we are trying log the info with extra field that will solve the issue.

0 Karma

gaurav_maniar
Builder

can you provide one json event sample

0 Karma

rajusalmon1
New Member

I have tried to join like below

index=nonprod kubernetes.container_name=tpt MESSAGE = "Code request" | spath output=msg path=MESSAGE | table msg
| join msg [search index=nonprod kubernetes.container_name=rsv MESSAGE = "pin in email" | spath output=msg path=MESSAGE | table msg]
| join msg [search index=nonprod kubernetes.container_name=rsw MESSAGE = "pin in sms" | spath output=msg path=MESSAGE | table msg]
| stats count

But it results 600 only.

0 Karma

rajusalmon1
New Member

If I run below 3 queries separately result is (600,250,150) , I would need to join them and make a pie chart.

index=nonprod kubernetes.container_name=tpt MESSAGE = "Code request"
| spath output=msg path=MESSAGE
| table msg
| stats count

index=nonprod kubernetes.container_name=rsv MESSAGE = "pin in email"
| spath output=msg path=MESSAGE
| table msg
| stats count

index=nonprod kubernetes.container_name=rsw MESSAGE = "pin in sms"
| spath output=msg path=MESSAGE
| table msg
| stats count

0 Karma

rajusalmon1
New Member

Thank you gaurav. Sorry, I forgot to mention in actaul question that kubernetes.container_name is different for all 3 queries. Could you please let me know if it works in the same manner?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...