Solved: Results of 2 query in Pie Chart

motupaul · ‎06-05-2018

Hi All,

I am looking for pie chart which number success & Error events in the search. Below are my 2 query's.

Query 1 :- host = servername sourcetype=file index=index_prod "ERROR" | stats count
Query 2 :- host = servername sourcetype=file index=index_prod "Success" | stats count

Initially i though to extract the field, But the in the event "Error" & "Success" falls on different fields. Can some please suggestion an idea.

martin_mueller · ‎06-05-2018

Chart this as a pie:

host = servername sourcetype=file index=index_prod ("ERROR" OR "SUCCESS") | eval class = if(searchmatch("ERROR"), "ERROR", "SUCCESS") | stats count by class

Combining the two searches will also give you a performance boost 🙂

Note, I've assumed that events containing both ERROR and SUCCESS will only be counted as ERROR.

View solution in original post

motupaul · ‎10-23-2018

Thank you very much

martin_mueller · ‎06-05-2018

Chart this as a pie:

host = servername sourcetype=file index=index_prod ("ERROR" OR "SUCCESS") | eval class = if(searchmatch("ERROR"), "ERROR", "SUCCESS") | stats count by class

Combining the two searches will also give you a performance boost 🙂

Note, I've assumed that events containing both ERROR and SUCCESS will only be counted as ERROR.

Results of 2 query in Pie Chart

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)