Splunk Enterprise

How to frame this Pie chart- Dashboard panel?

Vani_26
Path Finder

below query:
index=app_mnt_apl  source=xxxx  

note: here the CustomerApp Details:  Countywise or CustomerApp Details:  Worldwise or CustomerApp Details:  Areawise are not in interested fields.


Sample logs:

2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Countywise

2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Worldwise

2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Areawise

2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Countywise

2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise

2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise


I want to represent  CustomerApp Details: Areawise, Worldwise and countrywise   in a form of a pie  chart.
how to frame the query to get this???

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

If you have no field representation for CustomerApp Details then you can extract it and do the stats with this

| rex "CustomerApp Details:\s+(?<AppDetails>\w+)"
| stats count by AppDetails

then just display as a pie chart

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

If you have no field representation for CustomerApp Details then you can extract it and do the stats with this

| rex "CustomerApp Details:\s+(?<AppDetails>\w+)"
| stats count by AppDetails

then just display as a pie chart

Vani_26
Path Finder

hi @bowesmana , 
Thank you for the rex its working fine but i do have someother logs with the following 

2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Countywise-Ctl

2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise

2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise-Ctl

 

so, what would be the rex  for [thy-application_THY] - CustomerApp Details:  Countywise-Ctl and  Worldwise and Areawise-Ctl

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

So, the regex I suggested was

| rex "CustomerApp Details:\s+(?<AppDetails>\w+)"

and that looks for any 'word' character. If this is the last data on that row you could do

| rex "CustomerApp Details:\s+(?<AppDetails>.*)"

or you could do this, which will find anything up to the next whitespace

| rex "CustomerApp Details:\s+(?<AppDetails>[^\s]+)"

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...