Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

piechart

avneet26
Engager
‎11-12-2020 01:38 AM

I want to create two pie chart each based upon the value of index I am choosing. using below two queries

 

1. index = index1 host=.......| ...

2. index=index2 host=....|

then i want to include both of these pie charts into the same report so that I can send them as alert in the same mail. How can I do that ? tried append and multi search but didnt help.

0 Karma
Reply

avneet26
Engager
‎11-12-2020 02:40 AM

it didnt give any results. my concern is how can I generate two different pie charts using these two searches and those two pie charts should be different based on index values(one for index1 other for index2)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-12-2020 02:48 AM

Sorry, I misunderstood, I thought you were trying to use two indexes in the same chart. The chart is a visualisation of the results of a query. I don't think there is a standard pie chart visualisation that produces multiple charts. Perhaps you should submit this as an improvement request.

0 Karma
Reply

avneet26
Engager
‎11-12-2020 02:27 AM

search index= index1
host=*
source=*logs* username
sourcetype=* | rex "user\":\"(?<user>[^\"]+)" | stats count by user] |
append [search index= index2
host=*
source=*logs* user
sourcetype=* | rex "user\":\"(?<user>[^\"]+)" | stats count by user]

 

this didnt work for me

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-12-2020 02:36 AM

In what way didn't it work? No result? Incorrect results? host missing?

Are these event similar, just in different indexes? Can you use:

search index=index1 OR index=index2
host=*
source=*logs* username
sourcetype=* | rex "user\":\"(?<user>[^\"]+)" | stats count by user

or 

| stats values(index) as index count by user

 or

| stats count by user index
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-12-2020 02:04 AM

Can you be a bit more specific about what you tried and why it didn't work? Append and multiple searches sound like they would normally solve the problem, so without further information, it is difficult to advise.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...