Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Column Chart

pkeller
Contributor
‎01-31-2017 11:08 AM

My search produces output containing 5 license pool names, their configured pool size, and the volume that was indexed at the time of the rollover.

My search:
eventtype=evt-rollover-summary earliest=-1d latest=@d
| stats latest(poolsz) as "PoolSize" sum(b) as "PoolUsage" by pool
| rename pool AS "Pool Name"
| eval "Pool Size (Gb)" = round(PoolSize/1024/1024,0)
| eval "Pool Usage (Gb)" = round(PoolUsage/1024/1024,0)
| fields - PoolSize, PoolUsage

I'd like the column chart to just produce a 'dot' above the "Pool Usage (Gb)" column containing the "Pool Size (Gb)" field, but all I can seem to produce is a solid line for the overlay with nothing marking the line where the Pool Size Value is met.
Not sure what I need to choose in the Overlay section to highlight the associated Pool Size value above the Pool Usage for a given Pool.

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-31-2017 11:36 AM

After you';ve selected the chart overlay, add following to line to your dashboard xml of the chart.

<option name="charting.chart.showMarkers">true</option>

Like this:

....
<chart>
    <search>
<query>eventtype=evt-rollover-summary earliest=-1d latest=@d 
 | stats latest(poolsz) as "PoolSize" sum(b) as "PoolUsage" by pool
 | rename pool AS "Pool Name"
 | eval "Pool Size (Gb)" = round(PoolSize/1024/1024,0)
 | eval "Pool Usage (Gb)" = round(PoolUsage/1024/1024,0) 
 | fields - PoolSize, PoolUsage
</query>
....
..
</search>
.....
        <option name="charting.chart.showMarkers">true</option>
......

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-31-2017 11:36 AM

After you';ve selected the chart overlay, add following to line to your dashboard xml of the chart.

<option name="charting.chart.showMarkers">true</option>

Like this:

....
<chart>
    <search>
<query>eventtype=evt-rollover-summary earliest=-1d latest=@d 
 | stats latest(poolsz) as "PoolSize" sum(b) as "PoolUsage" by pool
 | rename pool AS "Pool Name"
 | eval "Pool Size (Gb)" = round(PoolSize/1024/1024,0)
 | eval "Pool Usage (Gb)" = round(PoolUsage/1024/1024,0) 
 | fields - PoolSize, PoolUsage
</query>
....
..
</search>
.....
        <option name="charting.chart.showMarkers">true</option>
......
0 Karma
Reply
Solved! Jump to solution

pkeller
Contributor
‎01-31-2017 12:12 PM

Thank you. Works perfectly.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...