-2

I am new to splunk dashboard development, so far I am creating KPI's using just 'single value'.

I have three KPI's resulted 600, 250, 150

KPI 1 search expression - Result is 600 (example)

index=indexname kubernetes.container_name=tpt
MESSAGE = "Code request"
| spath output=message path=MESSAGE 
| table _time message
| stats count as count1

KPI 2 search expression - Result is 250 (example)

index=indexname kubernetes.container_name=rsv
MESSAGE = "pin in email"
| spath output=message path=MESSAGE 
| table _time message
| stats count as count2

KPI 3 search expression - Result is 150 (example)

index=indexname kubernetes.container_name=rsv
MESSAGE = "pin in sms"
| spath output=message path=MESSAGE
| table _time message
| stats count as count3

I have shown above KPI's as numbers in the dashboard. However I would like show a pie chart with 60%, 25% and 15% share for above numbers. What would be search expression to create this chart?

halfer
  • 19,824
  • 17
  • 99
  • 186
Raju
  • 175
  • 1
  • 2
  • 11

1 Answers1

1

You could achieve it by making it as a single query, extracting the fields and appending it using splunk append, below is the queries

index=indexname kubernetes.container_name=tpt MESSAGE = "*Code request*" 
| spath output=msg path=MESSAGE 
| eval counts=case((msg="Code request" ,"count1",msg="pin in email" ,"count2",msg="pin in sms" ,"count3")
| stats count by counts 
| append [search index=indexname kubernetes.container_name=rsv MESSAGE = "*pin in email*" 
| spath output=msg path=MESSAGE 
| eval counts=case((msg="Code request" ,"count1",msg="pin in email" ,"count2",msg="pin in sms" ,"count3")
| stats count by counts 
| append [search index=indexname kubernetes.container_name=rsv MESSAGE = "*pin in sms*" 
| spath output=msg path=MESSAGE 
| eval counts=case((msg="Code request" ,"count1",msg="pin in email" ,"count2",msg="pin in sms" ,"count3")
| stats count by counts ]]
Laminoo Lawrance
  • 425
  • 2
  • 8
  • Hi @Laminoo Lawrance, Thanks for the help, I have changed the main question with actual search string and tried with below solution. `index=indexname kubernetes.container_name=tpt or kubernetes.container_name=rsv MESSAGE = "Code request" OR MESSAGE = "pin in email" OR MESSAGE = "pin in sms" | rex field=_raw "MESSAGE\s=\s\"search\sfor\s<(?.*)>\"" | spath output=message path=MESSAGE | table _time message | eval counts=case((code="codel" ,"count1",code="code2" ,"count2",code="code3" ,"count3") | stats count by counts` It did not work, any help? – Raju Mar 11 '20 at 11:11
  • If i try with one kubernetes container name and remove last line of code (stats count by counts) then it is giving me some data in table. If I try to group it, it is showing 0 result. – Raju Mar 11 '20 at 11:24
  • Hi @Laminoo lawrance, it returned 0 records. if i run query with only one kubernetes.container_name it's returning the result. – Raju Mar 11 '20 at 12:20
  • Thank you for all your help, I ran query as is and returned 0 result. Changed path=MSG to path=MESSAGE still returned 0 result. However individual queries are giving the result. – Raju Mar 11 '20 at 12:50
  • if I run below 3 queries separately result is (600,250,150) `index=indexname kubernetes.container_name=tpt MESSAGE = "*Code request*" | spath output=msg path=MESSAGE | table msg | stats count` `index=indexname kubernetes.container_name=rsv MESSAGE = "*pin in email*" | spath output=msg path=MESSAGE | table msg | stats count` `index=indexname kubernetes.container_name=rsv MESSAGE = "*pin in sms*" | spath output=msg path=MESSAGE | table msg | stats count` Since I have inconsistency in search test, i have used *xxx* both sides, so removed 'by msg'. Could you help to join above 3? – Raju Mar 11 '20 at 13:07
  • I tried and it's not giving result, then i removed 'by msg' at end then it's giving result as 600 (it the result of first query) – Raju Mar 11 '20 at 13:16