Solved: How to frame this Pie chart- Dashboard panel? - Splunk Community

Splunk Enterprise

below query:
index=app_mnt_apl source=xxxx

note: here the CustomerApp Details: Countywise or CustomerApp Details: Worldwise or CustomerApp Details: Areawise are not in interested fields.

Sample logs:

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Countywise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Countywise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise

I want to represent CustomerApp Details: Areawise, Worldwise and countrywise in a form of a pie chart.
how to frame the query to get this???

1 Solution

Solution

If you have no field representation for CustomerApp Details then you can extract it and do the stats with this

| rex "CustomerApp Details:\s+(?<AppDetails>\w+)"
| stats count by AppDetails

then just display as a pie chart

View solution in original post

Solution

If you have no field representation for CustomerApp Details then you can extract it and do the stats with this

| rex "CustomerApp Details:\s+(?<AppDetails>\w+)"
| stats count by AppDetails

then just display as a pie chart

hi @bowesmana ,
Thank you for the rex its working fine but i do have someother logs with the following

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Countywise-Ctl

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise-Ctl

so, what would be the rex for [thy-application_THY] - CustomerApp Details: Countywise-Ctl and Worldwise and Areawise-Ctl

So, the regex I suggested was

| rex "CustomerApp Details:\s+(?<AppDetails>\w+)"

and that looks for any 'word' character. If this is the last data on that row you could do

| rex "CustomerApp Details:\s+(?<AppDetails>.*)"

or you could do this, which will find anything up to the next whitespace

| rex "CustomerApp Details:\s+(?<AppDetails>[^\s]+)"

Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...