I have 5 different searches I am doing in Splunk where I am getting the count of how many results from that search query.
I've had a look at this thread here:
https://answers.splunk.com/answers/757081/pie-chart-with-count-from-different-search-criteri.html
but its not quite working for me, I'm not 100% sure if its what I want.
My search queries all look something like this:
index=A variable="foo" message="Created*" | stats count
index=A variable="foo" message="Deleted*" | stats count
I ideally want to assign each query to a keyword - such as created, deleted, etc, then do a pie chart based on the counts.
The following should be sufficient.
index=A variable="foo" message="Created*" OR message="Deleted*" OR message="<repeat this for any other message types you want>" | stats count by message
If you can provide some more examples of the events you are trying to chart, there may be alternate approaches that can work for you.
This version will extract the key part of the message (Created, Deleted. etc...) into a field called mtype and you can then perform stats on that field.
index=A variable="foo" message="Created*" OR message="Deleted*" OR message="<repeat this for any other message types you want>" | rex field=message "(?<mtype>Created|Deleteted|...)" | stats count by mtype