I wanted to create a piechart with the X and Y,I have already counted coming in from the data
example of event data:
1/30/18 7:15:22.000 PM 2018-01-30 11:05:12.26;DEV;compute;X;Y
X is the good_count
Y is the bad_count
Provided you already have the good_count and bad_count fields extracted for environment="DEV" ( or process="compute"), you can try the following:
<YourBaseSearch>
| table environment bad_count good_count
| transpose header_field="environment" column_name="environment"
Following is a run anywhere search based on data/details provided:
| makeresults
| eval _raw="1/30/18 7:15:22.000 PM 2018-01-30 11:05:12.26;DEV;compute;40;5"
| rex "(AM|PM)\s(?<_time>[^;]+);(?<environment>[^;]+);(?<process>[^;]+);(?<good_count>[^;]+);(?<bad_count>\d+)"
| table environment bad_count good_count
| transpose header_field="environment" column_name="environment"
You could use transpose
for this. For a run-anywhere example, try:
| makeresults
| eval _raw="1/30/18 7:15:22.000 PM 2018-01-30 11:05:12.26;DEV;compute;150;35"
| rex "compute;(?<good_count>[^;]+);(?<bad_count>.*)"
| table good_count bad_count
| transpose
Then look at the visualization tab and change to pie chart.
Provided you already have the good_count and bad_count fields extracted for environment="DEV" ( or process="compute"), you can try the following:
<YourBaseSearch>
| table environment bad_count good_count
| transpose header_field="environment" column_name="environment"
Following is a run anywhere search based on data/details provided:
| makeresults
| eval _raw="1/30/18 7:15:22.000 PM 2018-01-30 11:05:12.26;DEV;compute;40;5"
| rex "(AM|PM)\s(?<_time>[^;]+);(?<environment>[^;]+);(?<process>[^;]+);(?<good_count>[^;]+);(?<bad_count>\d+)"
| table environment bad_count good_count
| transpose header_field="environment" column_name="environment"
How do I display those values good_count,bad_count on pie slices ?
Add the following as final pipe | eval environment=environment." (".DEV.")"
Following is the updated run anywhere search
| makeresults
| eval _raw="1/30/18 7:15:22.000 PM 2018-01-30 11:05:12.26;DEV;compute;40;5"
| rex "(AM|PM)\s(?<_time>[^;]+);(?<environment>[^;]+);(?<process>[^;]+);(?<good_count>[^;]+);(?<bad_count>\d+)"
| table environment bad_count good_count
| transpose header_field="environment" column_name="environment"
| eval environment=environment." (".DEV.")"