Trying out a simple dashboard. But Chart is not taking up selected columns, but showing up all the columns. e.g. in example below, though charting.data1.column mentions only 0 and 1, i was expecting to see PingLoss colummn chart vs time, but it shows up PingLoss and no_PingLoss both columns in the chart. What am I missing ?
<?xml version="1.0" encoding="utf-8"?> <dashboard> <label>Sample</label> <row> <chart> <searchName>Example</searchName> <searchString>* | stats count(eval(eventtype="pingloss")) as PingLoss, count(eval(eventtype="no_pingloss")) as NoPingLoss by _time</searchString> <earliestTime>rt-30m</earliestTime> <latestTime>rtnow</latestTime> <option name="charting.data1">view</option> <option name="charting.data1.table">@data</option> <option name="charting.data1.columns">[0,1]</option> <option name="charting.chart.data">@data1</option> <option name="charting.chart">column</option> </chart> </row> </dashboard>
what version of Splunk are you using?
Also wondering why you wouldn't just use a search like this:
* | stats count(eval(eventtype="pingloss")) as PingLoss, count(eval(eventtype="no_pingloss")) as NoPingLoss by _time|fields - NoPingLoss
If you only want to see PingLoss vs. time, then I would use
<searchString>eventtype="pingloss" | timechart count as PingLoss</searchString>
I also think that this will be more efficient. And you probably won't need any of the
charting.chart options, either.
Yes, i know this one, but this is part of more complex chart where I am trying chart overlay with two Y-axis. So same data set, but each chart picks up different columns from data set. But this basic one is not working, so not able to reach next step. I am using splunk 6.0 build 182037 on linux.