Solved: Re: Line up sources in chart

gnovak · ‎04-11-2012

Is there a way to graph a chart where the sources will line up next to each other? From the example above, I want totalemailssent and totalemailtosend from one source to be side by side in the chart.

Example: the highest 2 columns in the chart are the same source for each day. Can I get them to show up side by side?

My code to make the chart is:

<chart>
  <searchString>sourcetype="cron_BalanceEmail" NOT host="*.bmp2.*" earliest=-7d@d latest=-0d@d sent (\[BalanceEmail\] OR \[null\])   | rex field=_raw "\w+\] ?(?&lt;TotalEmailsSent&gt;[\d]+) of (?&lt;TotalEmailsToSend&gt;[\d]+) of email notification sent\." | rex field=source "/(?&lt;registrar&gt;[^/]+)/[^/]+/[^/]+$" | timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent by registrar</searchString>
  <title>Balance Emails Combined - 7 days</title>
  <earliestTime>0</earliestTime>
  <option name="charting.chart">column</option>
  <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
</chart>

tysonstewart · ‎04-11-2012

Yeah, try tacking a table command on the end of your search string:

... | table totalemailsent,totalemailtosend, *

View solution in original post

tysonstewart · ‎04-11-2012

Yeah, try tacking a table command on the end of your search string:

... | table totalemailsent,totalemailtosend, *

gnovak · ‎04-19-2012

This worked. I missed that %Y. Great stuff...thanks for the help!

tysonstewart · ‎04-19-2012

Yeah, %e is just one of those weird ones. It works for me. I say try it, and if it doesn't, fall back on %d. %Y will give you a 4-digit year (it's near the bottom on that link).

gnovak · ‎04-19-2012

Interesting! http://www.velocityreviews.com/forums/t648500-why-e-not-in-time-strftime-directives.html

gnovak · ‎04-19-2012

also is the %e a mistake on your part? It's not in the chart from the link you posted. 😞

gnovak · ‎04-19-2012

This is wonderful. Works good. I just need the year (2012) but I don't see this on the link. Thanks for this. I'll be taking some python training soon so any exposure is a +

tysonstewart · ‎04-19-2012

Hmm. Unexpected. Well, you can counter that by using an eval before the table command:

... | eval Time=strftime(_time,"%a %b %e") | table Time,"TotalEmailsToSend: <registrar>",...

Then you can format your time however you please. A guide to strftime strings can be found at http://strftime.org/

gnovak · ‎04-19-2012

Tysonsteward, this works, but the time for some reason is really long. Instead of the time just being a simple date like April 19 2012 it's long and drawn out like 2012-04-15T00:00:00:000-04:00...any idea why?

tysonstewart · ‎04-11-2012

Gotcha. Sorry, needed to read a little closer. You'll have to spell out all the column names, but the table command should still do what you're looking for:

... | table _time,"TotalEmailsToSend: <registrar>","TotalEmailsSent: <registrar>",...

Casing and spaces matter.

gnovak · ‎04-11-2012

nay that didn't work.

Line up sources in chart

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application