Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need to create a pie chart out of a table

Mrig342
Contributor
‎02-29-2024 01:55 AM

Hi All,

 

I have got logs like below:

Log1:
</tr>
<tr>
<td >Apple</td>
<td >59</td>
<td >7</td>

Log2:
</tr>
<tr>
<td >Samsung</td>
<td >61</td>
<td >13</td>

Log3:
</tr>
<tr>
<td >Oppo</td>
<td >34</td>
<td >5</td>

Log4:
</tr>
<tr>
<td >Vivo</td>
<td >38</td>
<td >11</td>

I have used below query to extract fields from the data and the environment data is extracted from source.

.... | rex field=_raw "\<tr\>\s+\<td\s\>(?P<Domain>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Total>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Issues>[^\<]+)\<\/td\>"
| rex field=source "\/DashB\/[^\_]+\_(?P<Environment>[^\_]+)\_[^\.]+\.html"
| eval Running=(Total - Issues)
| stats sum(Running) as Running_count sum(Issues) as Issues_count by Environment

Now I want to create a pie chart view with Running_count and Issues_count as the slices of the pie chart with respect to the environment.

Please help to create/modify the query to get the desired visualization.

 

Your kind inputs are highly appreciated..!!

Thank you..!!

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-29-2024 03:05 AM

Are you saying you get raw events that are fragments of an HTML document.  In any case, even though HTML is not the ideal data format for data structure, treating it as text still carries the usual risks, therefore I advise against.  Use spath to pretend that it is XML.

You didn't give enough snippet to show how Environment is actually coded and I don't want to speculate (read tea leaf), so I am going to use Vendor as groupby in my example.  This is what I  would do:

 

| spath
| eval Vendor = mvindex('tr.td', 0)
| eval Issues = tonumber(mvindex('tr.td', 2))
| eval Running = tonumber(mvindex('tr.td', 1)) - Issues
| stats sum(Running) as Running_count sum(Issues) as Issues_count by Vendor

 

Here is an emulation you can play with and compare with real data:

 

| makeresults
| eval log = mvappend("</tr>
<tr>
<td >Apple</td>
<td >59</td>
<td >7</td>", "</tr>
<tr>
<td >Samsung</td>
<td >61</td>
<td >13</td>", "</tr>
<tr>
<td >Oppo</td>
<td >34</td>
<td >5</td>", "</tr>
<tr>
<td >Vivo</td>
<td >38</td>
<td >11</td>")
| mvexpand log
| rename log AS _raw
``` data emulation above ```

 

Output of this emulation is

VendorRunning_countIssues_count
Apple527
Oppo295
Samsung4813
Vivo2711
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...