Solved: Re: Pie chart- Dashbaord panel

Vani_26 · ‎12-06-2022

below query:
index=app_mnt_apl source=xxxx

note: here the CustomerApp Details: Countywise or CustomerApp Details: Worldwise or CustomerApp Details: Areawise are not in interested fields.

Sample logs:

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Countywise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Countywise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise

I want to represent CustomerApp Details: Areawise, Worldwise and countrywise in a form of a pie chart.
how to frame the query to get this???

bowesmana · ‎12-06-2022

If you have no field representation for CustomerApp Details then you can extract it and do the stats with this

| rex "CustomerApp Details:\s+(?<AppDetails>\w+)"
| stats count by AppDetails

then just display as a pie chart

View solution in original post

bowesmana · ‎12-06-2022

If you have no field representation for CustomerApp Details then you can extract it and do the stats with this

| rex "CustomerApp Details:\s+(?<AppDetails>\w+)"
| stats count by AppDetails

then just display as a pie chart

Vani_26 · ‎12-06-2022

hi @bowesmana ,
Thank you for the rex its working fine but i do have someother logs with the following

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Countywise-Ctl

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise

2022-11-12 15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise-Ctl

so, what would be the rex for [thy-application_THY] - CustomerApp Details: Countywise-Ctl and Worldwise and Areawise-Ctl

bowesmana · ‎12-07-2022

So, the regex I suggested was

| rex "CustomerApp Details:\s+(?<AppDetails>\w+)"

and that looks for any 'word' character. If this is the last data on that row you could do

| rex "CustomerApp Details:\s+(?<AppDetails>.*)"

or you could do this, which will find anything up to the next whitespace

| rex "CustomerApp Details:\s+(?<AppDetails>[^\s]+)"

How to frame this Pie chart- Dashboard panel?

using Splunk Enterprise

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

How to frame this Pie chart- Dashboard panel?

using Splunk Enterprise

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!