Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need to create a pie chart out of a table

Mrig342
Contributor
‎02-29-2024 01:55 AM

Hi All,

 

I have got logs like below:

Log1:
</tr>
<tr>
<td >Apple</td>
<td >59</td>
<td >7</td>

Log2:
</tr>
<tr>
<td >Samsung</td>
<td >61</td>
<td >13</td>

Log3:
</tr>
<tr>
<td >Oppo</td>
<td >34</td>
<td >5</td>

Log4:
</tr>
<tr>
<td >Vivo</td>
<td >38</td>
<td >11</td>

I have used below query to extract fields from the data and the environment data is extracted from source.

.... | rex field=_raw "\<tr\>\s+\<td\s\>(?P<Domain>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Total>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Issues>[^\<]+)\<\/td\>"
| rex field=source "\/DashB\/[^\_]+\_(?P<Environment>[^\_]+)\_[^\.]+\.html"
| eval Running=(Total - Issues)
| stats sum(Running) as Running_count sum(Issues) as Issues_count by Environment

Now I want to create a pie chart view with Running_count and Issues_count as the slices of the pie chart with respect to the environment.

Please help to create/modify the query to get the desired visualization.

 

Your kind inputs are highly appreciated..!!

Thank you..!!

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-29-2024 03:05 AM

Are you saying you get raw events that are fragments of an HTML document.  In any case, even though HTML is not the ideal data format for data structure, treating it as text still carries the usual risks, therefore I advise against.  Use spath to pretend that it is XML.

You didn't give enough snippet to show how Environment is actually coded and I don't want to speculate (read tea leaf), so I am going to use Vendor as groupby in my example.  This is what I  would do:

 

| spath
| eval Vendor = mvindex('tr.td', 0)
| eval Issues = tonumber(mvindex('tr.td', 2))
| eval Running = tonumber(mvindex('tr.td', 1)) - Issues
| stats sum(Running) as Running_count sum(Issues) as Issues_count by Vendor

 

Here is an emulation you can play with and compare with real data:

 

| makeresults
| eval log = mvappend("</tr>
<tr>
<td >Apple</td>
<td >59</td>
<td >7</td>", "</tr>
<tr>
<td >Samsung</td>
<td >61</td>
<td >13</td>", "</tr>
<tr>
<td >Oppo</td>
<td >34</td>
<td >5</td>", "</tr>
<tr>
<td >Vivo</td>
<td >38</td>
<td >11</td>")
| mvexpand log
| rename log AS _raw
``` data emulation above ```

 

Output of this emulation is

VendorRunning_countIssues_count
Apple527
Oppo295
Samsung4813
Vivo2711
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...