Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Chart data from 2 saved searches

gnovak
Builder
‎12-21-2010 06:59 PM

Hi

Is it possible to chart data from 2 saved searches? I currently have 2 charts that are generated, each using a single saved search to generate each chart. What I'd like to do is combine 2 saved searches into one chart. The chart is displaying the data in columns.

Currently the code I have in my dashboard to generate the charts is below:

<row>
<chart>
  <title>Total Emails To Send For All Registries</title>
  <searchName>balance_email_to_send</searchName>
 <option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Date</option>
<option name="charting.secondaryAxisTitle.text">Number of Emails</option>
 <option name="charting.chart.useAbsoluteSpacing">true</option>
 <option name="charting.chart.columnSpacing">5</option>
 <option name="charting.legend.placement">top</option>
</chart>
<chart>
<chart>
  <title>Total Emails Sent To All Registries</title>
  <searchName>balance_email_sent</searchName>
  <option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Date</option>
<option name="charting.secondaryAxisTitle.text">Number of Emails</option>
 <option name="charting.chart.useAbsoluteSpacing">true</option>
 <option name="charting.chart.columnSpacing">5</option>
 <option name="charting.legend.placement">top</option>
</chart>

How can I have both of these saved searches generate data in 1 chart? Oh and also add another color and category to the legend too.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎12-21-2010 07:18 PM

You should be able to get a single search returning the combined results of both searches:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent 
| rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." 
| search TotalEmailsToSend="*" OR TotalEmailsSent="*"
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎12-21-2010 07:18 PM

You should be able to get a single search returning the combined results of both searches:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent 
| rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." 
| search TotalEmailsToSend="*" OR TotalEmailsSent="*"
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent
Reply
Solved! Jump to solution

gnovak
Builder
‎12-21-2010 07:27 PM

Chart generated nicely! Thanks for the help as I missed a few minor details as usual!

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎12-21-2010 07:25 PM

This worked. sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsToSend="" OR TotalEmailsSent=""
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎12-21-2010 07:22 PM

I'm going to play with it a little though....

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎12-21-2010 07:22 PM

no go on that search...it doesn't like the regex...

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎12-21-2010 07:09 PM

Here are the 2 saved searches:

Total Emails to Send search:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsToSend="*" | timechart sum(TotalEmailsToSend)

Total Emails Sent search:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsSent="*" | timechart sum(TotalEmailsSent)

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎12-21-2010 07:05 PM

Without knowing the exact search, it is extremly difficult to advise on how to insert a second set of results into the same chart. You might be able to use the "append" command to add in a separate set of results to a specific search, then create a chart based off of that complete result set.

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎12-21-2010 07:15 PM

I'll have to research the append command a bit further!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...