How to make splunk pie chart with specific counts that I have in separate queries?

Question

Basically I have 4 queries like this:

index=index source="source" "Exception 1"

index=index source="source" "Exception 2"

index=index source="source" "Exception 3"

index=index source="source" "Exception 4"

They're not exactly formatted like that so i cant simply use regex to extract. But I have each one as separate queries and appended | stats count as Total to the end of each query to get the total count. Is there a simple way to combine all 4 of those to one pie chart or any chart for visualization?

I have tried using multisearch and other tools but not sure if im doing it wrong or if they just dont work. Will I just need to refine the logs to make it easier?

Answer 1

Only a single query can be the source of a visualization so the four queries need to be combined into one. There's no need for separate stats commands, either, but it does have to produce two fields for a proper pie chart.

index=index source="source" ("Exception 1" OR "Exception 2" OR "Exception 3" OR "Exception 4")
| eval Exception=if(searchmatch("Exception 1", 1, 
                 if(searchmatch("Exception 2", 2, 
                 if(searchmatch("Exception 3", 3, 4)))
| stats count as Total by Exception