Dashboards & Visualizations

Chart not generating data correctly

Builder

Ok so here goes. I have been working with some charts for about a week now and have slowly started to get results. However I'm still a bit stuck here. I will explain:

First, here is the search I am using to generate the chart:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsToSend="*" | chart sum(TotalEmailsToSend) over date_wday

And here is the snipped from the dashboard XML file where I have the code to generate the chart:

<chart>
  <title>Total Emails To Send For All Registries</title>
  <searchName>balance_email_to_send</searchName>
 <option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Date</option>
<option name="charting.secondaryAxisTitle.text">Number of Emails</option>
 <option name="charting.chart.useAbsoluteSpacing">true</option>
 <option name="charting.chart.columnSpacing">5</option>
 <option name="charting.legend.placement">top</option>
</chart>

The chart is generated, but the days of the week aren't displayed in order.

I have tried changing the end of the search to be chart sum(TotalEmailsToSend) over _time but when I do this, the columns in the graph are thin and the secondary axis values change and are not a reflection of the actual number of email that were sent out.

I want to have the dates displayed on the bottom of the chart (as opposed to just the name of the day of the week) and I'd like them to be in order. Also if possible, if there was a way to add a drop down menu to the chart to allow the user to select the time range they want, that would also be great.

I found this in a ticket on answers.splunk.com regarding a drop dowm menu, but not sure if this is correct as it threw me an error when I tried to add it to my xml file or the dashboard. I perhaps put it in the wrong spot?

<input type="time"/>    
<input type="dropdown" token="timeSpan">
    <label>Time span for charts</label>
    <default>span=4h</span>
    <choice value="span=5m">5 Minute</choice>
    <choice value="span=10m">10 Minutes</choice>
    <choice value="span=1h">1 hour</choice>
    <choice value="span=4h">4 hours</choice>
    <choice value="span=24h">24 hours</choice>
    <choice value="span=7d">7 days</choice>
    <choice value="rt">Real-time</choice>

Can anyone spot the obvious things I may be doing wrong?

Tags (1)
0 Karma

Esteemed Legend

If all you are trying to do is get the days of the week in order, try this:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[d]+) of (?[d]+) of email notification sent." | search TotalEmailsToSend="*" | bucket _time span=1d chart sum(TotalEmailsToSend) over _time

Or probably better this:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[d]+) of (?[d]+) of email notification sent." | search TotalEmailsToSend="*" | timechart span=1d sum(TotalEmailsToSend)
0 Karma

Builder

I just noticed the one line for the drop down I believe should be span=4h

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!