Re: Chart not generating data correctly

gnovak · ‎12-17-2010

Ok so here goes. I have been working with some charts for about a week now and have slowly started to get results. However I'm still a bit stuck here. I will explain:

First, here is the search I am using to generate the chart:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsToSend="*" | chart sum(TotalEmailsToSend) over date_wday

And here is the snipped from the dashboard XML file where I have the code to generate the chart:

<chart>
  <title>Total Emails To Send For All Registries</title>
  <searchName>balance_email_to_send</searchName>
 <option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Date</option>
<option name="charting.secondaryAxisTitle.text">Number of Emails</option>
 <option name="charting.chart.useAbsoluteSpacing">true</option>
 <option name="charting.chart.columnSpacing">5</option>
 <option name="charting.legend.placement">top</option>
</chart>

The chart is generated, but the days of the week aren't displayed in order.

I have tried changing the end of the search to be chart sum(TotalEmailsToSend) over _time but when I do this, the columns in the graph are thin and the secondary axis values change and are not a reflection of the actual number of email that were sent out.

I want to have the dates displayed on the bottom of the chart (as opposed to just the name of the day of the week) and I'd like them to be in order. Also if possible, if there was a way to add a drop down menu to the chart to allow the user to select the time range they want, that would also be great.

I found this in a ticket on answers.splunk.com regarding a drop dowm menu, but not sure if this is correct as it threw me an error when I tried to add it to my xml file or the dashboard. I perhaps put it in the wrong spot?

<input type="time"/>    
<input type="dropdown" token="timeSpan">
    <label>Time span for charts</label>
    <default>span=4h</span>
    <choice value="span=5m">5 Minute</choice>
    <choice value="span=10m">10 Minutes</choice>
    <choice value="span=1h">1 hour</choice>
    <choice value="span=4h">4 hours</choice>
    <choice value="span=24h">24 hours</choice>
    <choice value="span=7d">7 days</choice>
    <choice value="rt">Real-time</choice>

Can anyone spot the obvious things I may be doing wrong?

woodcock · ‎06-03-2015

If all you are trying to do is get the days of the week in order, try this:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[d]+) of (?[d]+) of email notification sent." | search TotalEmailsToSend="*" | bucket _time span=1d chart sum(TotalEmailsToSend) over _time

Or probably better this:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[d]+) of (?[d]+) of email notification sent." | search TotalEmailsToSend="*" | timechart span=1d sum(TotalEmailsToSend)

gnovak · ‎12-17-2010

I just noticed the one line for the drop down I believe should be span=4h

Chart not generating data correctly

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation