Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to separate fields and create a pie chart of status count?

thaara
Explorer
‎06-01-2020 10:12 AM

Hi Splunkers,

Please guide us on the requirement below:

Input:

server, env, req no, input field,status
host-1,PROD,1666680,mobile1,Deployment_Successful
host-1,PROD,1666680,mobile2,Deployment_failed
host-1,PROD,1666680,mobile3,exception
host-1,PROD,1666001,mobile1,Deployment_Successful
host-1,PROD,1666601,mobile2,Deployment_failed
host-1,PROD,16666801,mobile3,exception

Expected output: Pie chart with status count

My trial:

sourcetype=sourcetype1 source=*.log  
| rex field=_raw "(?\w+\-\d+)\,(?\w+\/\w+)\,(?\d+)\,(?\w+)\,,(?\w+.*)" 
| stats count by Status

The above search is not showing the count if the log has different statuses. Kindly help to guide on this.

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2020 12:52 PM

Try this run-anywhere example, which displays a pie chart with 3 segments.

| makeresults | eval _raw="host-1,PROD,1666680,mobile1,Deployment_Successful|
 host-1,PROD,1666680,mobile2,Deployment_failed|
 host-1,PROD,1666680,mobile3,exception|
 host-1,PROD,1666001,mobile1,Deployment_Successful|
 host-1,PROD,1666601,mobile2,Deployment_failed|
 host-1,PROD,16666801,mobile3,exception" | eval _raw=split(_raw, "|") | mvexpand _raw
`comment("All of the above just sets up test data")`
 | rex field=_raw "(\w+\-\d+)\,(\w+)\,(\d+)\,(\w+),(?<Status>\w+.*)"
 | stats count by Status

alt text

---
If this reply helps you, Karma would be appreciated.
Preview file
1 KB
0 Karma
Reply

thaara
Explorer
‎06-02-2020 09:35 AM

@richgalloway
I want to take input data from a log file instead of giving input in my query. Kindly help on that.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2020 10:26 AM

Replace everything above the comment with the SPL you use to input data from your log file. For example,

sourcetype=sourcetype1 source=*.log
| rex field=_raw "(\w+\-\d+)\,(\w+)\,(\d+)\,(\w+),(?<Status>\w+.*)"
| stats count by Status
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2020 10:51 AM

Please edit your question to correct the rex command. Also, please share your results and the desired output.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

thaara
Explorer
‎06-01-2020 11:02 AM

sourcetype=sourcetype1 source=.log | rex field=_raw "(?\w+-\d+)\,(?\w+\/\w+)\,(?\d+)\,(?\w+)\,(?\w+.)" | stats count by Status

Output am getting as NONE in pie chart view.

please note: If i have only one kind of status example as "deployment_successful" in my log, I can seethe count, but if there are different statuses, I cannot create a pie chart

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2020 12:48 PM

Your regular expression (rex command) doesn't match the data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...