Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Chart data from 2 saved searches

gnovak
Builder
‎12-21-2010 06:59 PM

Hi

Is it possible to chart data from 2 saved searches? I currently have 2 charts that are generated, each using a single saved search to generate each chart. What I'd like to do is combine 2 saved searches into one chart. The chart is displaying the data in columns.

Currently the code I have in my dashboard to generate the charts is below:

<row>
<chart>
  <title>Total Emails To Send For All Registries</title>
  <searchName>balance_email_to_send</searchName>
 <option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Date</option>
<option name="charting.secondaryAxisTitle.text">Number of Emails</option>
 <option name="charting.chart.useAbsoluteSpacing">true</option>
 <option name="charting.chart.columnSpacing">5</option>
 <option name="charting.legend.placement">top</option>
</chart>
<chart>
<chart>
  <title>Total Emails Sent To All Registries</title>
  <searchName>balance_email_sent</searchName>
  <option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Date</option>
<option name="charting.secondaryAxisTitle.text">Number of Emails</option>
 <option name="charting.chart.useAbsoluteSpacing">true</option>
 <option name="charting.chart.columnSpacing">5</option>
 <option name="charting.legend.placement">top</option>
</chart>

How can I have both of these saved searches generate data in 1 chart? Oh and also add another color and category to the legend too.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎12-21-2010 07:18 PM

You should be able to get a single search returning the combined results of both searches:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent 
| rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." 
| search TotalEmailsToSend="*" OR TotalEmailsSent="*"
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎12-21-2010 07:18 PM

You should be able to get a single search returning the combined results of both searches:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent 
| rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." 
| search TotalEmailsToSend="*" OR TotalEmailsSent="*"
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent
Reply
Solved! Jump to solution

gnovak
Builder
‎12-21-2010 07:27 PM

Chart generated nicely! Thanks for the help as I missed a few minor details as usual!

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎12-21-2010 07:25 PM

This worked. sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsToSend="" OR TotalEmailsSent=""
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎12-21-2010 07:22 PM

I'm going to play with it a little though....

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎12-21-2010 07:22 PM

no go on that search...it doesn't like the regex...

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎12-21-2010 07:09 PM

Here are the 2 saved searches:

Total Emails to Send search:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsToSend="*" | timechart sum(TotalEmailsToSend)

Total Emails Sent search:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsSent="*" | timechart sum(TotalEmailsSent)

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎12-21-2010 07:05 PM

Without knowing the exact search, it is extremly difficult to advise on how to insert a second set of results into the same chart. You might be able to use the "append" command to add in a separate set of results to a specific search, then create a chart based off of that complete result set.

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎12-21-2010 07:15 PM

I'll have to research the append command a bit further!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...