Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need to create a pie chart out of a table

Mrig342
Contributor
‎02-29-2024 01:55 AM

Hi All,

 

I have got logs like below:

Log1:
</tr>
<tr>
<td >Apple</td>
<td >59</td>
<td >7</td>

Log2:
</tr>
<tr>
<td >Samsung</td>
<td >61</td>
<td >13</td>

Log3:
</tr>
<tr>
<td >Oppo</td>
<td >34</td>
<td >5</td>

Log4:
</tr>
<tr>
<td >Vivo</td>
<td >38</td>
<td >11</td>

I have used below query to extract fields from the data and the environment data is extracted from source.

.... | rex field=_raw "\<tr\>\s+\<td\s\>(?P<Domain>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Total>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Issues>[^\<]+)\<\/td\>"
| rex field=source "\/DashB\/[^\_]+\_(?P<Environment>[^\_]+)\_[^\.]+\.html"
| eval Running=(Total - Issues)
| stats sum(Running) as Running_count sum(Issues) as Issues_count by Environment

Now I want to create a pie chart view with Running_count and Issues_count as the slices of the pie chart with respect to the environment.

Please help to create/modify the query to get the desired visualization.

 

Your kind inputs are highly appreciated..!!

Thank you..!!

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-29-2024 03:05 AM

Are you saying you get raw events that are fragments of an HTML document.  In any case, even though HTML is not the ideal data format for data structure, treating it as text still carries the usual risks, therefore I advise against.  Use spath to pretend that it is XML.

You didn't give enough snippet to show how Environment is actually coded and I don't want to speculate (read tea leaf), so I am going to use Vendor as groupby in my example.  This is what I  would do:

 

| spath
| eval Vendor = mvindex('tr.td', 0)
| eval Issues = tonumber(mvindex('tr.td', 2))
| eval Running = tonumber(mvindex('tr.td', 1)) - Issues
| stats sum(Running) as Running_count sum(Issues) as Issues_count by Vendor

 

Here is an emulation you can play with and compare with real data:

 

| makeresults
| eval log = mvappend("</tr>
<tr>
<td >Apple</td>
<td >59</td>
<td >7</td>", "</tr>
<tr>
<td >Samsung</td>
<td >61</td>
<td >13</td>", "</tr>
<tr>
<td >Oppo</td>
<td >34</td>
<td >5</td>", "</tr>
<tr>
<td >Vivo</td>
<td >38</td>
<td >11</td>")
| mvexpand log
| rename log AS _raw
``` data emulation above ```

 

Output of this emulation is

VendorRunning_countIssues_count
Apple527
Oppo295
Samsung4813
Vivo2711
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...