Piechart
i am trying to plot a pie chart for the following query. A little push in the right direction would be greatly appreciated. Currently i can make a colum chart with this output just fine. i am trying to use a pie-chart instead. _source=logs | where url matches "/log*" | parse field=url "quickpicks.count=& as qps_count | where qps_count > 0 | parse field=url "quickpicks.count.resale=& as qps_resale | parse field=url "quickpicks.count.platinum=& as qps_platinum | parse field=url "quickpicks.count.primary.protected=& as qps_primary_protected | parse field=url "quickpicks.count.primary.unprotected=& as qps_primary_unprotected | sum(qps_resale) as resale, sum(qps_platinum) as platinum, sum(qps_primary_protected) as primary_protected, sum(qps_primary_unprotected) as primary_unprotected
-
Hi; In my experience, Pie charts work best with normalizing your multiple fields into a single field, and do a count by type from there. Basically, in your case i used a regex multi to parse out each quickpicks.count.* field as a type, which allows me to get a pie chart of the single field type, the values of which are assigned via the regex multi. the documentation for regex multi can be found here: https://help.sumologic.com/Search/Search_Query_Language/Parse_Operators/Parse_Regex_or_Extract_Operator I created this query that should be able to run in any sumo environment as an example: * | limit 1 | "quickpicks.count.resale=12&quickpicks.count.platinum=20&quickpicks.count.primary.protected=30&quickpicks.count.primary.unprotected=50&" as singleLog | parse regex field=singlelog "quickpicks.count.(?.+?)=(?.+?)&" multi | sum(count) by type i would guess yours would look something more like this (I moved your matches into the first statement to make use of the FER indexing): _source=logs url=/log* | parse regex field=url "quickpicks.count.(?.+?)=(?.+?)&" multi | where qps_count > 0 | sum(qps_count) by type let me know if that helps... -
thank you @Kelly Hamm that works. How do i strip off excess data from the url. Currently i see some string patterns not matching the regex pass through which skews the data. ex: /log?event-id=blah&quickpicks.count.resale=8&quickpicks.count.primary.unprotected=10&quickpicks.count=18&criteria.filter.qty=2&domain=foo
Please sign in to leave a comment.
Comments
2 comments