Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Charts not populating after post processing is done.

theouhuios
Motivator
‎10-05-2012 08:09 AM

Hello

I am completely new to the post processing concept hence having few issues with coding it in xml 

`<?xml version='1.0' encoding='utf-8'?>


<![CDATA[index="main" sourcetype="incident" |dedup record.incidentId| stats count by record.assignmentGroup,record.priority ]]> `



Last 24 hours






Count by Priority - 1
<![CDATA[where record.priority="1" ]]>
bar
gaps
default
false
right

 </chart>




Count by Priority - 2
<![CDATA[where record.priority="2" ]]>
bar
gaps
default
false
right

 </chart>
 <chart>
   <title>Count by priority -3</title>
   <searchPostProcess> <![CDATA[where record.priority="3"  ]]> </searchPostProcess> 
   <option name="charting.chart">column</option> 
   <option name="charting.chart.nullValueMode">gaps</option>
   <option name="charting.chart.stackMode">stacked</option> 
   <option name="charting.layout.splitSeries">false</option> 
   <option name="charting.legend.placement">right</option> 
   <option name="count">10</option>
   <option name="displayRowNumbers">true</option> 

 </chart>


I don't know why but the data isn't getting populated in the charts. Can anyone please explain where I am doing a mistake. Any help would be great.

Thanks

Tags (1)
0 Karma
Reply

theouhuios
Motivator
‎10-08-2012 08:00 AM

Made changes and pasted the code again. Now in the postprocess it only has the where field. Am I missing something here?

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎10-08-2012 07:53 AM

change the post processes to just the where clause and remove the field, eg. |where record.priority=3 | fields - record.priority.
You don't have _time anymore, so you can't bucket by it. You'd need to bucket by time in the original search template.

Reply

theouhuios
Motivator
‎10-08-2012 07:51 AM

Thanks for that. But it still doesn't populate the charts below. Am I doing anything wrong in the searchTemplate ?

0 Karma
Reply

theouhuios
Motivator
‎10-08-2012 07:50 AM

Thanks for that. But it still doesn't populate the charts below. Am I doing anything wrong in the searchTemplate ?

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎10-08-2012 07:23 AM

The properties are searchPostProcess and searchTemplate not searchpostprocess or searchtemplate. Does that sort it out?

0 Karma
Reply

theouhuios
Motivator
‎10-08-2012 07:01 AM

Any help please?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...