Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

piechart

avneet26
Engager
‎11-12-2020 01:38 AM

I want to create two pie chart each based upon the value of index I am choosing. using below two queries

 

1. index = index1 host=.......| ...

2. index=index2 host=....|

then i want to include both of these pie charts into the same report so that I can send them as alert in the same mail. How can I do that ? tried append and multi search but didnt help.

0 Karma
Reply

avneet26
Engager
‎11-12-2020 02:40 AM

it didnt give any results. my concern is how can I generate two different pie charts using these two searches and those two pie charts should be different based on index values(one for index1 other for index2)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-12-2020 02:48 AM

Sorry, I misunderstood, I thought you were trying to use two indexes in the same chart. The chart is a visualisation of the results of a query. I don't think there is a standard pie chart visualisation that produces multiple charts. Perhaps you should submit this as an improvement request.

0 Karma
Reply

avneet26
Engager
‎11-12-2020 02:27 AM

search index= index1
host=*
source=*logs* username
sourcetype=* | rex "user\":\"(?<user>[^\"]+)" | stats count by user] |
append [search index= index2
host=*
source=*logs* user
sourcetype=* | rex "user\":\"(?<user>[^\"]+)" | stats count by user]

 

this didnt work for me

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-12-2020 02:36 AM

In what way didn't it work? No result? Incorrect results? host missing?

Are these event similar, just in different indexes? Can you use:

search index=index1 OR index=index2
host=*
source=*logs* username
sourcetype=* | rex "user\":\"(?<user>[^\"]+)" | stats count by user

or 

| stats values(index) as index count by user

 or

| stats count by user index
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-12-2020 02:04 AM

Can you be a bit more specific about what you tried and why it didn't work? Append and multiple searches sound like they would normally solve the problem, so without further information, it is difficult to advise.

0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...