Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me create a pie chart based on multiple searches?

karthi25
Path Finder
‎02-26-2019 04:30 AM

I need to create a pie chart based on different types of logs. I tried the below query, 

index=*** source=**** earliest=-7d@h latest=now  | append [search spath=TestSplunkLog.TestFailureLog.payload.failureCount output=failureCount|stats sum(failureCount) as TOTAL | eval Type="FAILURE" ] | append [search spath=TestSplunkLog.TestSuccessLog.payload.publishedCount output=publishedCount|stats sum(publishedCount) as TOTAL | eval Type="PUBLISHED" ]  | append [search spath=TestSplunkLog.TestSuccessLog.payload.duplicateCount output=duplicateCount|stats sum(duplicateCount) as TOTAL | eval Type="DUPLICATE" ]| stats values(TOTAL) by Type

But it is not returning anything. Can anyone please suggest me the right solution for my problem?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎02-26-2019 04:55 AM

You are not specifying where within your subsearches are you trying yo use spath, so nothing comes out of it.

Few things, use the argument path in the spath.

Do all the spaths as you need directly from what you are getting from the Index:

index=****** earliest=-7d@h latest=now 
spath path=TestSplunkLog.TestFailureLog.payload.failureCount output=failureCount
spath path=TestSplunkLog.TestSuccessLog.payload.publishedCount output=publishedCount 
spath path=TestSplunkLog.TestSuccessLog.payload.duplicateCount output=duplicateCount 
| table failureCount publishedCount duplicateCount
| transpose 0 column_name="TYPE"
| stats sum("row 1") as total by TYPE

View solution in original post

Reply
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎02-26-2019 04:55 AM

You are not specifying where within your subsearches are you trying yo use spath, so nothing comes out of it.

Few things, use the argument path in the spath.

Do all the spaths as you need directly from what you are getting from the Index:

index=****** earliest=-7d@h latest=now 
spath path=TestSplunkLog.TestFailureLog.payload.failureCount output=failureCount
spath path=TestSplunkLog.TestSuccessLog.payload.publishedCount output=publishedCount 
spath path=TestSplunkLog.TestSuccessLog.payload.duplicateCount output=duplicateCount 
| table failureCount publishedCount duplicateCount
| transpose 0 column_name="TYPE"
| stats sum("row 1") as total by TYPE
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...