Solved: Re: Line up sources in chart

gnovak · ‎04-11-2012

Is there a way to graph a chart where the sources will line up next to each other? From the example above, I want totalemailssent and totalemailtosend from one source to be side by side in the chart.

Example: the highest 2 columns in the chart are the same source for each day. Can I get them to show up side by side?

My code to make the chart is:

<chart>
  <searchString>sourcetype="cron_BalanceEmail" NOT host="*.bmp2.*" earliest=-7d@d latest=-0d@d sent (\[BalanceEmail\] OR \[null\])   | rex field=_raw "\w+\] ?(?&lt;TotalEmailsSent&gt;[\d]+) of (?&lt;TotalEmailsToSend&gt;[\d]+) of email notification sent\." | rex field=source "/(?&lt;registrar&gt;[^/]+)/[^/]+/[^/]+$" | timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent by registrar</searchString>
  <title>Balance Emails Combined - 7 days</title>
  <earliestTime>0</earliestTime>
  <option name="charting.chart">column</option>
  <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
</chart>

tysonstewart · ‎04-11-2012

Yeah, try tacking a table command on the end of your search string:

... | table totalemailsent,totalemailtosend, *

View solution in original post

tysonstewart · ‎04-11-2012

Yeah, try tacking a table command on the end of your search string:

... | table totalemailsent,totalemailtosend, *

gnovak · ‎04-19-2012

This worked. I missed that %Y. Great stuff...thanks for the help!

tysonstewart · ‎04-19-2012

Yeah, %e is just one of those weird ones. It works for me. I say try it, and if it doesn't, fall back on %d. %Y will give you a 4-digit year (it's near the bottom on that link).

gnovak · ‎04-19-2012

Interesting! http://www.velocityreviews.com/forums/t648500-why-e-not-in-time-strftime-directives.html

gnovak · ‎04-19-2012

also is the %e a mistake on your part? It's not in the chart from the link you posted. 😞

gnovak · ‎04-19-2012

This is wonderful. Works good. I just need the year (2012) but I don't see this on the link. Thanks for this. I'll be taking some python training soon so any exposure is a +

tysonstewart · ‎04-19-2012

Hmm. Unexpected. Well, you can counter that by using an eval before the table command:

... | eval Time=strftime(_time,"%a %b %e") | table Time,"TotalEmailsToSend: <registrar>",...

Then you can format your time however you please. A guide to strftime strings can be found at http://strftime.org/

gnovak · ‎04-19-2012

Tysonsteward, this works, but the time for some reason is really long. Instead of the time just being a simple date like April 19 2012 it's long and drawn out like 2012-04-15T00:00:00:000-04:00...any idea why?

tysonstewart · ‎04-11-2012

Gotcha. Sorry, needed to read a little closer. You'll have to spell out all the column names, but the table command should still do what you're looking for:

... | table _time,"TotalEmailsToSend: <registrar>","TotalEmailsSent: <registrar>",...

Casing and spaces matter.

gnovak · ‎04-11-2012

nay that didn't work.

Line up sources in chart

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?