Splunk Search

Charting options column settings not working

hpatel05
New Member

Trying out a simple dashboard. But Chart is not taking up selected columns, but showing up all the columns. e.g. in example below, though charting.data1.column mentions only 0 and 1, i was expecting to see PingLoss colummn chart vs time, but it shows up PingLoss and no_PingLoss both columns in the chart. What am I missing ?

 <?xml version="1.0" encoding="utf-8"?>
    <dashboard>
      <label>Sample</label>
      <row>
        <chart>
          <searchName>Example</searchName>
          <searchString>* | stats count(eval(eventtype="pingloss")) as PingLoss, count(eval(eventtype="no_pingloss")) as NoPingLoss by _time</searchString>
          <earliestTime>rt-30m</earliestTime>
          <latestTime>rtnow</latestTime>

          <option name="charting.data1">view</option>
          <option name="charting.data1.table">@data</option>
          <option name="charting.data1.columns">[0,1]</option>
          <option name="charting.chart.data">@data1</option>
             <option name="charting.chart">column</option>

        </chart>
      </row>
    </dashboard>

Thanks

Tags (1)
0 Karma

hpatel05
New Member

Yes, i know this one, but this is part of more complex chart where I am trying chart overlay with two Y-axis. So same data set, but each chart picks up different columns from data set. But this basic one is not working, so not able to reach next step. I am using splunk 6.0 build 182037 on linux.

0 Karma

lguinn2
Legend

If you only want to see PingLoss vs. time, then I would use

<searchString>eventtype="pingloss" | timechart count as PingLoss</searchString>

I also think that this will be more efficient. And you probably won't need any of the charting.chart options, either.

0 Karma

hpatel05
New Member

Thanks, but I am trying out more complex charts. so need to select columns from data output.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

what version of Splunk are you using?
Also wondering why you wouldn't just use a search like this:
* | stats count(eval(eventtype="pingloss")) as PingLoss, count(eval(eventtype="no_pingloss")) as NoPingLoss by _time|fields - NoPingLoss

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...