I'm setting up some license dashboards for customers. The dashboard will contain sourcetype usage over the past 30 days, showing both an areachart and a stats table. The area chart shows the top 10 sourcetypes, along with the pool size, which works fine. To add the stats table, I used the existing report from above, and changed visualization to stats table. But now, I want to remove the pool size, and want to change the sort order to be by date in desc order. How can I do that without creating a whole new search/report? Is that possible? These are scheduled reports, btw...
@a212830 - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!
Since we now have two answers suggesting using post-processing and a base search, I figure I might as well muddy the waters and add a third! (Redundant? Redundant.)
The only difference is that I'd like to highlight that the base search in the post process can still call your savedsearch with the savedsearch spl command! So you can keep it a savedsearch but have it used and loaded only once on the page but influence several dashboards.
The catch here is that you'd have to make the savedsearch act almost like a summary index in that it only returns the least common data set of results that you can then transform (with the charts, stats, whatever) in the respective panels.
Coffee still soaking in so lemme know if that is too abstract and doesn't make sense.
If you reverse the time you might not be able to display the same on timechart on a chart visualization (you will have to format time to mm/dd/yyyy or Date only to plot on x-axis). Meanwhile you can try something like the following for post processing:
<row> <panel> <chart> <search id="baseSearch"> <query>Your Current Query goes here</query> <earliest>-30d@d</earliest> <latest>-0d@d</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">column</option> <option name="charting.chart.nullValueMode">connect</option> <option name="charting.chart.overlayFields">"stack size"</option> </chart> </panel> </row> <row> <panel> <table> <search base="baseSearch"> <query>reverse | fieldformat _time=strftime(_time,"%d/%m/%Y") | table _time volume</query> </search> </table> </panel> </row>
You can look at the concept of using a base search. Essentially one search runs and multiple panels reference that search.
Just be sure to note the post-processing limitations as well as the notes on performance in standalone vs distributed environments
Would it be possible for you to share your existing query/sample? Are you using prebuilt panel?
It's a scheduled report, not an inline search. Here's the search from the report:
index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | search pool="FMD License" | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | search pool="FMD License" | eval _time=_time - 43200 | bin _time span=1d | stats latest(poolsz) AS "pool size" by _time] | fields - _timediff | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]