Splunk Search

Multiple Pie Charts from one search

Hazel
Communicator

Hello,

We have an app that pings urls to get the status codes. Each application has a separate url and so i use a search below to create a table of the results. You can ignore the rex field, i just use this to get the app name out for each WSDL.

sourcetype="WSDL*" | rex field=ping_url ".*\/(?[^/]*)\/.*" | fields - _raw, _time | fields application, status_code | chart count by application status_code 

This produces a table that shows each application (ie each different url i pinged) and then how many times each status code has come up. E.g

Application       200     401    400    
App1               12      3      0
App2               10      0      0
App3  ....

I want to use this to build pie charts, so we can see for each application, what % succeeded (e.g 200), what was unauthorized (401)... etc

However, from this search, I can only seem to build one pie chart. Is there any way that I can use my search to build a pie chart per line? Ie one for App1, one for App2... etc?

----- UPDATE ------

After the below comments, I have now implemented the stacked column chart, but because the application names are long, on the bottom axis they get truncated (ie Eve...Service for EventService) so i can't email them out as you don't know what it is. Is there a way to wrap the text on the axis or have it read downwards rather than across so you can read these? Thanks!

1 Solution

Simon_Shelston
Splunk Employee
Splunk Employee

You may want to take a look at a new feature in 4.1 called PostProcess:

"Sometimes you end up with a dashboard running lots of different searches that are very similar. You can save search resources by creating an advanced dashboard that feeds all downstream panels with one single search. Read on to learn how to use one base search for a dashboard, and postProcess to process the search differently for each panel."

http://www.splunk.com/base/Documentation/4.1/Developer/PostProcess

View solution in original post

Hazel
Communicator

Thanks - yes, I am planning to permanently extract the field, I have just done it this way for now as I am still working on deciding the best way to configure my search

0 Karma

dskillman
Splunk Employee
Splunk Employee

Post process like Simon recommended is probably the way to go, but I would recommend permanently extracting your fields rather than using the rex command. rex is good for testing and singular ad-hoc seaches but you can easily dig yourself into a big supportability headache if you use rex exclusively. You can use the IFX and paste your regex in or put the extraction into your props.conf file.

0 Karma

Simon_Shelston
Splunk Employee
Splunk Employee

You may want to take a look at a new feature in 4.1 called PostProcess:

"Sometimes you end up with a dashboard running lots of different searches that are very similar. You can save search resources by creating an advanced dashboard that feeds all downstream panels with one single search. Read on to learn how to use one base search for a dashboard, and postProcess to process the search differently for each panel."

http://www.splunk.com/base/Documentation/4.1/Developer/PostProcess

gkanapathy
Splunk Employee
Splunk Employee

I think there might be some options here: http://www.splunk.com/base/Documentation/latest/Developer/ChartReference or maybe the "bar" vs "column" charts would work, or maybe one of "width" or "orientation" settings would work. I haven't really used these.

0 Karma

Hazel
Communicator

Hi, thanks for this answer. I really like the stacked column chart, the only problem I have with it is that because there are so many applications, the name of the apps along the bottom axis get truncated ie D...e. Is there a way to tell it how to display the text? Ie, to wrap it across lines or to get it to display the titles on a vertical line downwards rather than across? I'd like to be able to send this out, but cant at the moment as you can't read the names.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

That is, "stacked column" chart, with "stackMode" set to 100%.

gkanapathy
Splunk Employee
Splunk Employee

Maybe you could look into doing a single chart with multiple 100%-stacked columns instead. They'll take up less space and be easier to compare, plus people who hate pie charts won't give you crap.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...