Hi
Is it possible to chart data from 2 saved searches? I currently have 2 charts that are generated, each using a single saved search to generate each chart. What I'd like to do is combine 2 saved searches into one chart. The chart is displaying the data in columns.
Currently the code I have in my dashboard to generate the charts is below:
<row>
<chart>
<title>Total Emails To Send For All Registries</title>
<searchName>balance_email_to_send</searchName>
<option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Date</option>
<option name="charting.secondaryAxisTitle.text">Number of Emails</option>
<option name="charting.chart.useAbsoluteSpacing">true</option>
<option name="charting.chart.columnSpacing">5</option>
<option name="charting.legend.placement">top</option>
</chart>
<chart>
<chart>
<title>Total Emails Sent To All Registries</title>
<searchName>balance_email_sent</searchName>
<option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Date</option>
<option name="charting.secondaryAxisTitle.text">Number of Emails</option>
<option name="charting.chart.useAbsoluteSpacing">true</option>
<option name="charting.chart.columnSpacing">5</option>
<option name="charting.legend.placement">top</option>
</chart>
How can I have both of these saved searches generate data in 1 chart? Oh and also add another color and category to the legend too.
You should be able to get a single search returning the combined results of both searches:
sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent
| rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent."
| search TotalEmailsToSend="*" OR TotalEmailsSent="*"
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent
You should be able to get a single search returning the combined results of both searches:
sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent
| rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent."
| search TotalEmailsToSend="*" OR TotalEmailsSent="*"
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent
Chart generated nicely! Thanks for the help as I missed a few minor details as usual!
This worked. sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent
I'm going to play with it a little though....
no go on that search...it doesn't like the regex...
Here are the 2 saved searches:
Total Emails to Send search:
sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsToSend="*" | timechart sum(TotalEmailsToSend)
Total Emails Sent search:
sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsSent="*" | timechart sum(TotalEmailsSent)
Without knowing the exact search, it is extremly difficult to advise on how to insert a second set of results into the same chart. You might be able to use the "append" command to add in a separate set of results to a specific search, then create a chart based off of that complete result set.
I'll have to research the append command a bit further!