Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need to create a pie chart out of a table

Mrig342
Contributor
‎02-29-2024 01:55 AM

Hi All,

 

I have got logs like below:

Log1:
</tr>
<tr>
<td >Apple</td>
<td >59</td>
<td >7</td>

Log2:
</tr>
<tr>
<td >Samsung</td>
<td >61</td>
<td >13</td>

Log3:
</tr>
<tr>
<td >Oppo</td>
<td >34</td>
<td >5</td>

Log4:
</tr>
<tr>
<td >Vivo</td>
<td >38</td>
<td >11</td>

I have used below query to extract fields from the data and the environment data is extracted from source.

.... | rex field=_raw "\<tr\>\s+\<td\s\>(?P<Domain>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Total>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Issues>[^\<]+)\<\/td\>"
| rex field=source "\/DashB\/[^\_]+\_(?P<Environment>[^\_]+)\_[^\.]+\.html"
| eval Running=(Total - Issues)
| stats sum(Running) as Running_count sum(Issues) as Issues_count by Environment

Now I want to create a pie chart view with Running_count and Issues_count as the slices of the pie chart with respect to the environment.

Please help to create/modify the query to get the desired visualization.

 

Your kind inputs are highly appreciated..!!

Thank you..!!

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-29-2024 03:05 AM

Are you saying you get raw events that are fragments of an HTML document.  In any case, even though HTML is not the ideal data format for data structure, treating it as text still carries the usual risks, therefore I advise against.  Use spath to pretend that it is XML.

You didn't give enough snippet to show how Environment is actually coded and I don't want to speculate (read tea leaf), so I am going to use Vendor as groupby in my example.  This is what I  would do:

 

| spath
| eval Vendor = mvindex('tr.td', 0)
| eval Issues = tonumber(mvindex('tr.td', 2))
| eval Running = tonumber(mvindex('tr.td', 1)) - Issues
| stats sum(Running) as Running_count sum(Issues) as Issues_count by Vendor

 

Here is an emulation you can play with and compare with real data:

 

| makeresults
| eval log = mvappend("</tr>
<tr>
<td >Apple</td>
<td >59</td>
<td >7</td>", "</tr>
<tr>
<td >Samsung</td>
<td >61</td>
<td >13</td>", "</tr>
<tr>
<td >Oppo</td>
<td >34</td>
<td >5</td>", "</tr>
<tr>
<td >Vivo</td>
<td >38</td>
<td >11</td>")
| mvexpand log
| rename log AS _raw
``` data emulation above ```

 

Output of this emulation is

VendorRunning_countIssues_count
Apple527
Oppo295
Samsung4813
Vivo2711
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...