Solved: Re: How to get count of multiple strings with comm...

habisht · ‎07-20-2019

I'm trying to create a dashboard which will display pie-charts from different results. For this, I've multiple strings from same index and same source type.
What I've tried:
1. get counts from each and then use in pie-chart with tokens.
2. append required search results and then use them in pie-chart.
Both are OK. but i think there might be some effective way to do this.

like: index=$index$ sourcetype=$sourcetype$ "my test string1" | count AS count1 "my test string2" | count AS count2

renjith_nair · ‎07-21-2019

@habisht,

Test this with one of your strings,

index=$index$ sourcetype=$sourcetype$ ("my test string1"  OR "my test string2" OR ..)
|stats count(eval(searchmatch("my test string1"))) as string1 ,count(eval(searchmatch("my test string2"))) as string2, ...

Happy Splunking!

View solution in original post

renjith_nair · ‎07-21-2019

@habisht,

Test this with one of your strings,

index=$index$ sourcetype=$sourcetype$ ("my test string1"  OR "my test string2" OR ..)
|stats count(eval(searchmatch("my test string1"))) as string1 ,count(eval(searchmatch("my test string2"))) as string2, ...

Happy Splunking!

habisht · ‎07-21-2019

Thanks @renjith.nair it worked.

How to get count of multiple strings with common index and source type?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life