- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: how to show data in one pie chart from differe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to show data in one pie chart from different splunk search result
I have below splunk events / search result:-
message: host id :undefined, test Id :"42342424-8bf9-4abdc", msg : processing test data
message: host id :undefined, test Id :"4eee2ab1-8bf9-4abdc", msg : data processing for test
message: host id :undefined, test Id :"5eee2ab1-8bf9-43434", msg : data processing for test
message: host id :undefined, test Id :"4234244-3339-4abdc", msg : processing test data
message: host id :undefined, test Id :"4ujuj-8bf9-qwqweees", msg : data processing for test1
message: host id :undefined, test Id :"4tft-8bf9-hjhheeessss", msg : data processing for test1
extras-path: /v1/test-data/test-update
I want to show the data in pie chart, so it should show 3 slice in 1 pie chart basically based on the msg part
so 2 count for data processing for test and 2 count for data processing for test1 and 1 count for this path
Actually i am not sure how to evaluate msg key and how to display 3 different result in 1 pie-chat . plz anyone can help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="message: host id :undefined, test Id :\"4eee2ab1-8bf9-4abdc\", msg : data processing for test
message: host id :undefined, test Id :\"5eee2ab1-8bf9-43434\", msg : data processing for test
message: host id :undefined, test Id :\"4ujuj-8bf9-qwqweees\", msg : data processing for test1
message: host id :undefined, test Id :\"4tft-8bf9-hjhheeessss\", msg : data processing for test2"
| multikv noheader=t
| fields _raw
| rename COMMENT as "from here, the logic"
| rex "msg : (?<msg>.*)"
| stats count by msg
- extract
msgfield - aggregate by
stats - display on
Pie Chart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4Kawa, but test Id is the random number generated unique everytime, I can't give any specific id in the search query. I just want to extract msg part which starts with "data processing"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use rex field=msg
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not working , i have updated my question with more details, I tried this but no luck:
index="testing" application="test-data" | rex field=msg
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
