Hello,
We have an app that pings urls to get the status codes. Each application has a separate url and so i use a search below to create a table of the results. You can ignore the rex field, i just use this to get the app name out for each WSDL.
sourcetype="WSDL*" | rex field=ping_url ".*\/(?[^/]*)\/.*" | fields - _raw, _time | fields application, status_code | chart count by application status_code
This produces a table that shows each application (ie each different url i pinged) and then how many times each status code has come up. E.g
Application 200 401 400 App1 12 3 0 App2 10 0 0 App3 ....
I want to use this to build pie charts, so we can see for each application, what % succeeded (e.g 200), what was unauthorized (401)... etc
However, from this search, I can only seem to build one pie chart. Is there any way that I can use my search to build a pie chart per line? Ie one for App1, one for App2... etc?
----- UPDATE ------
After the below comments, I have now implemented the stacked column chart, but because the application names are long, on the bottom axis they get truncated (ie Eve...Service for EventService) so i can't email them out as you don't know what it is. Is there a way to wrap the text on the axis or have it read downwards rather than across so you can read these? Thanks!
You may want to take a look at a new feature in 4.1 called PostProcess:
"Sometimes you end up with a dashboard running lots of different searches that are very similar. You can save search resources by creating an advanced dashboard that feeds all downstream panels with one single search. Read on to learn how to use one base search for a dashboard, and postProcess to process the search differently for each panel."
http://www.splunk.com/base/Documentation/4.1/Developer/PostProcess
Thanks - yes, I am planning to permanently extract the field, I have just done it this way for now as I am still working on deciding the best way to configure my search
Post process like Simon recommended is probably the way to go, but I would recommend permanently extracting your fields rather than using the rex command. rex is good for testing and singular ad-hoc seaches but you can easily dig yourself into a big supportability headache if you use rex exclusively. You can use the IFX and paste your regex in or put the extraction into your props.conf file.
You may want to take a look at a new feature in 4.1 called PostProcess:
"Sometimes you end up with a dashboard running lots of different searches that are very similar. You can save search resources by creating an advanced dashboard that feeds all downstream panels with one single search. Read on to learn how to use one base search for a dashboard, and postProcess to process the search differently for each panel."
http://www.splunk.com/base/Documentation/4.1/Developer/PostProcess
I think there might be some options here: http://www.splunk.com/base/Documentation/latest/Developer/ChartReference or maybe the "bar" vs "column" charts would work, or maybe one of "width" or "orientation" settings would work. I haven't really used these.
Hi, thanks for this answer. I really like the stacked column chart, the only problem I have with it is that because there are so many applications, the name of the apps along the bottom axis get truncated ie D...e. Is there a way to tell it how to display the text? Ie, to wrap it across lines or to get it to display the titles on a vertical line downwards rather than across? I'd like to be able to send this out, but cant at the moment as you can't read the names.
That is, "stacked column" chart, with "stackMode" set to 100%.
Maybe you could look into doing a single chart with multiple 100%-stacked columns instead. They'll take up less space and be easier to compare, plus people who hate pie charts won't give you crap.