Re: Multiple searches in one chart

brownd92 · ‎09-17-2012

Hi there,
I would like to merge multiple searches into one pie chart. Examples of searches would be:

sourcetype="BustedServer" iphone
sourcetype="BustedServer" iPad
sourcetype="BustedServer" Android
sourcetype="BustedServer" Blackeberry
sourcetype="BustedServer" Windows

Anyone any ideas please?

Thanks in advance.

David

ytamura · ‎09-17-2012

I think MuS's answer is the cleanest way to do this. However, if you wanted do a quick field extraction on the fly and regex is too daunting, you can take advantage of the eval command to see results quickly:

sourcetype="BustedServer" | eval mobileType=case(searchmatch("iphone"),"iPhone",searchmatch("android"),"Android",searchmatch("Blackberry"),"Blackberry",searchmatch("Windows"),"Windows",searchmatch("iPad"),"iPad") | stats count by mobileType

MuS · ‎09-17-2012

Hi brownd92

you can do this for example:

sourcetype="BustedServer" | stats count by YourFieldName

replace YourFieldName with the fieldname which contains iphone|iPad|Android|Backberry|Windows

Then you can create a pie chart out of it.

cheers,

MuS

MuS · ‎09-17-2012

have you tried the regex? since you want to do a pie chart, this is the easiest way.

brownd92 · ‎09-17-2012

Thanks Ill have a look 🙂

MuS · ‎09-17-2012

try this, it is a on the fly regex test:

sourcetype="BustedServer" | rex field=_raw "((?[^)(]+|(?R))+)"

this should match everything inside the first brackets and create a new field called Mobile_Brand

brownd92 · ‎09-17-2012

Thanks for the quick answer. However there is no fieldname containing this data due to the complex nature of it.

Here is an example of some records:

9/17/2012 10:46:18 AM 213.205.236.120 Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) 9/17/2012
10:58:36 AM 94.197.127.174 Mozilla/5.0 (Linux; U; Android 2.3.3; en-gb; GT-I9100 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

As you can see the information is just held in a string....

brownd92 · ‎09-17-2012

Thanks again for the quick answer.
Ive tried setting up a field extraction, however it dosent always appear in the same place. Compatible devices may have "android" and "windows" in the same string but in different places. The normal search works ok to get the information but I need to combine all the search results into one pie chart so I can get the percentages of each device used...

Thanks again

David

MuS · ‎09-17-2012

if the the keyword exist in each line at the same place, you can setup field extraction http://docs.splunk.com/Documentation/Splunk/4.3.4/Knowledge/Addfieldsatsearchtime to create your own field

brownd92 · ‎09-17-2012

Thanks for the quick answer. However there is no fieldname containing this data due to the complex nature of it.

Here is an example of some records:

9/17/2012 10:46:18 AM 213.205.236.120 Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko)
9/17/2012 10:58:36 AM 94.197.127.174 Mozilla/5.0 (Linux; U; Android 2.3.3; en-gb; GT-I9100 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
9/17/2012 10:59:50 AM 82.8.201.207 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTB5.6)

As you can see the information is just held in a string....

Thanks

Multiple searches in one chart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation