Solved: How to frame this Pie chart- Dashboard panel? - Splunk Community

Splunk Enterprise

below query:
index=app_mnt_apl source=xxxx

note: here the CustomerApp Details: Countywise or CustomerApp Details: Worldwise or CustomerApp Details: Areawise are not in interested fields.

Sample logs:

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Countywise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Countywise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise

I want to represent CustomerApp Details: Areawise, Worldwise and countrywise in a form of a pie chart.
how to frame the query to get this???

1 Solution

Solution

If you have no field representation for CustomerApp Details then you can extract it and do the stats with this

| rex "CustomerApp Details:\s+(?<AppDetails>\w+)"
| stats count by AppDetails

then just display as a pie chart

View solution in original post

Solution

If you have no field representation for CustomerApp Details then you can extract it and do the stats with this

| rex "CustomerApp Details:\s+(?<AppDetails>\w+)"
| stats count by AppDetails

then just display as a pie chart

hi @bowesmana ,
Thank you for the rex its working fine but i do have someother logs with the following

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Countywise-Ctl

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise-Ctl

so, what would be the rex for [thy-application_THY] - CustomerApp Details: Countywise-Ctl and Worldwise and Areawise-Ctl

So, the regex I suggested was

| rex "CustomerApp Details:\s+(?<AppDetails>\w+)"

and that looks for any 'word' character. If this is the last data on that row you could do

| rex "CustomerApp Details:\s+(?<AppDetails>.*)"

or you could do this, which will find anything up to the next whitespace

| rex "CustomerApp Details:\s+(?<AppDetails>[^\s]+)"

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...