makeresults is generally used for demo purposes. You just write a search that reads your indexes and creates output records in the same format that the sample data has.
If you post a sample query of how you get the information you want to display, and the input format for the chart, then we can help you write the required search.
These are the required fields needed to power the viz.
Just make sure the output of the data looks similar to this. Note that
keyColor is an optional field.
I have found a solution (unfortunately just getting the output to match the required text didn't work for me as the number of lines in the graph will change and the fields involved will change so the output needs to be run as it's own query) - it needs two queries on a dashboard
The lookup is only needed if you are defining colours for the chart.
This query leaves you with a single value for a field called "base"
index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|lookup data Date OUTPUT colour as hue
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
You need to assign a token to the search:
Then this query in the second panel which will be the chart:
result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).
@ChrisCLewis If your problem is resolved, please accept an answer to help future readers.