Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to show data in one pie chart from different splunk search result

neha_h
Explorer
‎05-27-2020 11:14 PM

I have below splunk events / search result:-
message: host id :undefined, test Id :"42342424-8bf9-4abdc", msg : processing test data
message: host id :undefined, test Id :"4eee2ab1-8bf9-4abdc", msg : data processing for test
message: host id :undefined, test Id :"5eee2ab1-8bf9-43434", msg : data processing for test
message: host id :undefined, test Id :"4234244-3339-4abdc", msg : processing test data
message: host id :undefined, test Id :"4ujuj-8bf9-qwqweees", msg : data processing for test1
message: host id :undefined, test Id :"4tft-8bf9-hjhheeessss", msg : data processing for test1
extras-path: /v1/test-data/test-update

I want to show the data in pie chart, so it should show 3 slice in 1 pie chart basically based on the msg part
so 2 count for data processing for test and 2 count for data processing for test1 and 1 count for this path
Actually i am not sure how to evaluate msg key and how to display 3 different result in 1 pie-chat . plz anyone can help.

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎05-28-2020 02:25 PM 
| makeresults 
| eval _raw="message: host id :undefined, test Id :\"4eee2ab1-8bf9-4abdc\", msg : data processing for test
message: host id :undefined, test Id :\"5eee2ab1-8bf9-43434\", msg : data processing for test
message: host id :undefined, test Id :\"4ujuj-8bf9-qwqweees\", msg : data processing for test1
message: host id :undefined, test Id :\"4tft-8bf9-hjhheeessss\", msg : data processing for test2" 
| multikv noheader=t 
| fields _raw 
| rename COMMENT as "from here, the logic" 
| rex "msg : (?<msg>.*)" 
| stats count by msg
  1. extract msg field
  2. aggregate by stats
  3. display on Pie Chart
0 Karma
Reply

neha_h
Explorer
‎05-28-2020 07:57 PM

@to4Kawa, but test Id is the random number generated unique everytime, I can't give any specific id in the search query. I just want to extract msg part which starts with "data processing"

0 Karma
Reply

to4kawa
Ultra Champion
‎05-28-2020 08:29 PM

use rex field=msg

0 Karma
Reply

neha_h
Explorer
‎05-29-2020 12:43 AM

Not working , i have updated my question with more details, I tried this but no luck:
index="testing" application="test-data" | rex field=msg

0 Karma
Reply

to4kawa
Ultra Champion
‎05-29-2020 02:48 AM

see reference
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...