https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516736#M145250 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mvasquez21_0-1598626596705.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10557iCC984DA6002CFF92/image-size/medium?v=v2&amp;px=400" role="button" title="mvasquez21_0-1598626596705.png" alt="mvasquez21_0-1598626596705.png" /></span></P><P>&nbsp;</P> Fri, 28 Aug 2020 14:56:46 GMT mvasquez21 2020-08-28T14:56:46Z https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516713#M145240 <P>My boss has asked me to create a chart that shows the number of fired alerts (y-axis) by day of the month (x-axis). I suggested we do this as a stacked chart with each alert represented by a different color. I know the alert variable is "ss_name" and i found this expression to create the "date":</P><P>convert timeformat="%m-%d" ctime(_time) AS date</P><P>I just cant get the correct syntax to get all 3 elements in to the chart. So far i have this:</P><P>index=_audit action="alert_fired" | convert timeformat="%m-%d" ctime(_time) AS date | timechart date by ss_name</P><P>&nbsp;</P><P>Thanks!</P> Fri, 28 Aug 2020 14:02:35 GMT https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516713#M145240 mvasquez21 2020-08-28T14:02:35Z https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516718#M145243 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207748">@mvasquez21</a>,</P><P>why do you want to complicate the search?</P><P>timechart is sufficient for your need:</P><P>&nbsp;</P><LI-CODE lang="markup">index=_audit action="alert_fired" earliest=-30d@d latest=@d | timechart span=1d count</LI-CODE><P>&nbsp;</P><P>if you want to know how many alerts you fired for each kind of alert, you could run something like this:</P><P>&nbsp;</P><LI-CODE lang="markup">index=_audit action="alert_fired" earliest=-30d@d latest=@d | timechart span=1d count BY ss_name</LI-CODE><P>&nbsp;</P><P>but it depends on the number of different alerts: if they are too many your chart isn't readable.</P><P>&nbsp;</P><P>The problem is that you want to run a search on a long time (one month) and, if you have many events, this is a very slow search.</P><P>So you could schedule this&nbsp; search as a report by night and display it very quickly or schedule a search saving results in a summary index and running the search on the summary index.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 28 Aug 2020 14:18:11 GMT https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516718#M145243 gcusello 2020-08-28T14:18:11Z https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516719#M145244 <P>How about something like</P><LI-CODE lang="markup">index=_audit action="alert_fired" | convert timeformat="%m-%d" ctime(_time) AS date | stats count by ss_name, date</LI-CODE><P>Then use a stacked bar chart in your dashboard panel&nbsp;</P> Fri, 28 Aug 2020 14:18:22 GMT https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516719#M145244 ITWhisperer 2020-08-28T14:18:22Z https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516724#M145246 <P>i had tried that one already but it puts count and date as the only x-axis items instead of the ss_name (alerts)</P> Fri, 28 Aug 2020 14:38:12 GMT https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516724#M145246 mvasquez21 2020-08-28T14:38:12Z https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516725#M145247 <P>Try adding</P><LI-CODE lang="markup">| xyseries date, ss_name, count</LI-CODE> Fri, 28 Aug 2020 14:41:46 GMT https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516725#M145247 ITWhisperer 2020-08-28T14:41:46Z https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516734#M145249 <P>perfect! thanks!</P> Fri, 28 Aug 2020 14:55:56 GMT https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516734#M145249 mvasquez21 2020-08-28T14:55:56Z https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516736#M145250 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mvasquez21_0-1598626596705.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10557iCC984DA6002CFF92/image-size/medium?v=v2&amp;px=400" role="button" title="mvasquez21_0-1598626596705.png" alt="mvasquez21_0-1598626596705.png" /></span></P><P>&nbsp;</P> Fri, 28 Aug 2020 14:56:46 GMT https://community.splunk.com/t5/Splunk-Search/Chart/m-p/516736#M145250 mvasquez21 2020-08-28T14:56:46Z