I am new to splunk dashboard development, so far I am creating KPI's using just 'single value'.
I have three KPI's resulted 600, 250, 150
KPI 1 search expression - Result is 600 (example)
index=indexname kubernetes.container_name=tpt
MESSAGE = "Code request"
| spath output=message path=MESSAGE
| table _time message
| stats count as count1
KPI 2 search expression - Result is 250 (example)
index=indexname kubernetes.container_name=rsv
MESSAGE = "pin in email"
| spath output=message path=MESSAGE
| table _time message
| stats count as count2
KPI 3 search expression - Result is 150 (example)
index=indexname kubernetes.container_name=rsv
MESSAGE = "pin in sms"
| spath output=message path=MESSAGE
| table _time message
| stats count as count3
I have shown above KPI's as numbers in the dashboard. However I would like show a pie chart with 60%, 25% and 15% share for above numbers. What would be search expression to create this chart?
You could achieve it by making it as a single query, extracting the fields and appending it using splunk append, below is the queries
index=indexname kubernetes.container_name=tpt MESSAGE = "*Code request*"
| spath output=msg path=MESSAGE
| eval counts=case((msg="Code request" ,"count1",msg="pin in email" ,"count2",msg="pin in sms" ,"count3")
| stats count by counts
| append [search index=indexname kubernetes.container_name=rsv MESSAGE = "*pin in email*"
| spath output=msg path=MESSAGE
| eval counts=case((msg="Code request" ,"count1",msg="pin in email" ,"count2",msg="pin in sms" ,"count3")
| stats count by counts
| append [search index=indexname kubernetes.container_name=rsv MESSAGE = "*pin in sms*"
| spath output=msg path=MESSAGE
| eval counts=case((msg="Code request" ,"count1",msg="pin in email" ,"count2",msg="pin in sms" ,"count3")
| stats count by counts ]]