Dashboards & Visualizations

Chart not generating data correctly

gnovak
Builder

Ok so here goes. I have been working with some charts for about a week now and have slowly started to get results. However I'm still a bit stuck here. I will explain:

First, here is the search I am using to generate the chart:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsToSend="*" | chart sum(TotalEmailsToSend) over date_wday

And here is the snipped from the dashboard XML file where I have the code to generate the chart:

<chart>
  <title>Total Emails To Send For All Registries</title>
  <searchName>balance_email_to_send</searchName>
 <option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Date</option>
<option name="charting.secondaryAxisTitle.text">Number of Emails</option>
 <option name="charting.chart.useAbsoluteSpacing">true</option>
 <option name="charting.chart.columnSpacing">5</option>
 <option name="charting.legend.placement">top</option>
</chart>

The chart is generated, but the days of the week aren't displayed in order.

I have tried changing the end of the search to be chart sum(TotalEmailsToSend) over _time but when I do this, the columns in the graph are thin and the secondary axis values change and are not a reflection of the actual number of email that were sent out.

I want to have the dates displayed on the bottom of the chart (as opposed to just the name of the day of the week) and I'd like them to be in order. Also if possible, if there was a way to add a drop down menu to the chart to allow the user to select the time range they want, that would also be great.

I found this in a ticket on answers.splunk.com regarding a drop dowm menu, but not sure if this is correct as it threw me an error when I tried to add it to my xml file or the dashboard. I perhaps put it in the wrong spot?

<input type="time"/>    
<input type="dropdown" token="timeSpan">
    <label>Time span for charts</label>
    <default>span=4h</span>
    <choice value="span=5m">5 Minute</choice>
    <choice value="span=10m">10 Minutes</choice>
    <choice value="span=1h">1 hour</choice>
    <choice value="span=4h">4 hours</choice>
    <choice value="span=24h">24 hours</choice>
    <choice value="span=7d">7 days</choice>
    <choice value="rt">Real-time</choice>

Can anyone spot the obvious things I may be doing wrong?

Tags (1)
0 Karma

woodcock
Esteemed Legend

If all you are trying to do is get the days of the week in order, try this:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[d]+) of (?[d]+) of email notification sent." | search TotalEmailsToSend="*" | bucket _time span=1d chart sum(TotalEmailsToSend) over _time

Or probably better this:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[d]+) of (?[d]+) of email notification sent." | search TotalEmailsToSend="*" | timechart span=1d sum(TotalEmailsToSend)
0 Karma

gnovak
Builder

I just noticed the one line for the drop down I believe should be span=4h

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...