Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Dashboard to show the values in slices or any way

phanikumarcs
Explorer
‎02-08-2024 05:11 AM

Hi Team,

I am trying to create a dashboard pie chart visualization with the spl query.
we have total_apps are 300, how many apps(count) are there out of this.
Note: why i am using "dc" here we have foo_foo_1, foo_foo_2, foo_foo_3 apps.

|rest /services/data/indexes
|rename title as index
|rex field=index "^foo_(?<appname>.+)"
|rex field=index "^foo_(?<appname>.+)_"
|table appname, index
|stats dc(appname) as currentapps
|eval currentapps = currentapps
|eval total_apps = 300



from this in pie chart its showing only total_apps or currentapps not both in single pie chart
so what is the issue. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2024 08:28 AM

Try something like this

|rest /services/data/indexes
|rename title as index
|rex field=index "^foo_(?<appname>.+)"
|rex field=index "^foo_(?<appname>.+)_"
|table appname, index
|stats dc(appname) as count
|eval title = "currentapps"
| append
[| makeresults
| eval count = 300
| eval title="total_apps"]
| table title count

View solution in original post

0 Karma
Reply
Solved! Jump to solution

phanikumarcs
Explorer
‎02-08-2024 11:41 AM

Thanks @ITWhisperer  its working for me

0 Karma
Reply
Solved! Jump to solution

phanikumarcs
Explorer
‎02-08-2024 06:32 AM

@ITWhisperer  thanks for the response,

actually, I am creating a pie chart in dashboard that will show "totalapps" count and "appname" count on pie chart in two slices.

where our totalapps is 300, and i am extracting appnames using rex.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2024 08:28 AM

Try something like this

|rest /services/data/indexes
|rename title as index
|rex field=index "^foo_(?<appname>.+)"
|rex field=index "^foo_(?<appname>.+)_"
|table appname, index
|stats dc(appname) as count
|eval title = "currentapps"
| append
[| makeresults
| eval count = 300
| eval title="total_apps"]
| table title count
0 Karma
Reply
Solved! Jump to solution

phanikumarcs
Explorer
‎02-09-2024 02:17 AM

@ITWhisperer  it works buts its not showing values(digits) on pie chart

phanikumarcs_0-1707473819507.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 02:33 AM

Numbers show up when you hover over each segment

0 Karma
Reply
Solved! Jump to solution

phanikumarcs
Explorer
‎02-09-2024 03:36 AM

So where i can change the changes in the spl or xml source @

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 03:40 AM

What changes are you expecting - this is the way pie charts work - you could consider appending the value to the title

|rest /services/data/indexes
|rename title as index
|rex field=index "^foo_(?<appname>.+)"
|rex field=index "^foo_(?<appname>.+)_"
|table appname, index
|stats dc(appname) as count
|eval title = "currentapps: ".count
| append
[| makeresults
| eval count = 300
| eval title="total_apps: ".count]
| table title count

 

0 Karma
Reply
Solved! Jump to solution

phanikumarcs
Explorer
‎02-09-2024 04:22 AM

@ITWhisperer  i am expexting the same in the attached picture 

Preview file
1643 KB
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 04:51 AM

As you can see here, there are no configuration options for this feature

0 Karma
Reply
Solved! Jump to solution

phanikumarcs
Explorer
‎02-09-2024 05:02 AM

1) yes, this is the first approach i have take, later i posted in the community. But why its not showing the value count over chart.

2) by the way @ITWhisperer  if you have any idea please help me for this
https://community.splunk.com/t5/All-Apps-and-Add-ons/JSON-data-unexpected-value-count/m-p/677019#M80...

3)is it possible to remove the label name below colored where like "Mon Jan 15" to "Jan 15" like this. from UI or XML source or SPL

phanikumarcs_0-1707483673191.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 05:29 AM

1) already answered - standard pie charts don't have this feature in Splunk

2) responded in thread

3) edit your dashboard panel and change the x-axis title to none

ITWhisperer_0-1707485340047.png

 

0 Karma
Reply
Solved! Jump to solution

phanikumarcs
Explorer
‎02-09-2024 09:35 AM

@ITWhisperer for this 3) edit your dashboard panel and change the x-axis title to none

I have found the solution to this issue. I applied the following SPL code to the existing SPL, and the visualization updated automatically to reflect the changes.

|timechart span=1d count
|eval Date=strftime(_time, "%m/%d")
|table Date, count

 

@ITWhisperer thanks for your time...

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2024 05:47 AM

It is not clear what result you are expecting - please can you expand your question

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...