Dashboards & Visualizations

Line up sources in chart

gnovak
Builder

alt text

Is there a way to graph a chart where the sources will line up next to each other? From the example above, I want totalemailssent and totalemailtosend from one source to be side by side in the chart.

Example: the highest 2 columns in the chart are the same source for each day. Can I get them to show up side by side?

My code to make the chart is:

<chart>
  <searchString>sourcetype="cron_BalanceEmail" NOT host="*.bmp2.*" earliest=-7d@d latest=-0d@d sent (\[BalanceEmail\] OR \[null\])   | rex field=_raw "\w+\] ?(?&lt;TotalEmailsSent&gt;[\d]+) of (?&lt;TotalEmailsToSend&gt;[\d]+) of email notification sent\." | rex field=source "/(?&lt;registrar&gt;[^/]+)/[^/]+/[^/]+$" | timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent by registrar</searchString>
  <title>Balance Emails Combined - 7 days</title>
  <earliestTime>0</earliestTime>
  <option name="charting.chart">column</option>
  <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
</chart>
Tags (1)
0 Karma
1 Solution

tysonstewart
Path Finder

Yeah, try tacking a table command on the end of your search string:

... | table totalemailsent,totalemailtosend, *

View solution in original post

0 Karma

tysonstewart
Path Finder

Yeah, try tacking a table command on the end of your search string:

... | table totalemailsent,totalemailtosend, *
0 Karma

gnovak
Builder

This worked. I missed that %Y. Great stuff...thanks for the help!

0 Karma

tysonstewart
Path Finder

Yeah, %e is just one of those weird ones. It works for me. I say try it, and if it doesn't, fall back on %d. %Y will give you a 4-digit year (it's near the bottom on that link).

0 Karma

gnovak
Builder

also is the %e a mistake on your part? It's not in the chart from the link you posted. 😞

0 Karma

gnovak
Builder

This is wonderful. Works good. I just need the year (2012) but I don't see this on the link. Thanks for this. I'll be taking some python training soon so any exposure is a +

0 Karma

tysonstewart
Path Finder

Hmm. Unexpected. Well, you can counter that by using an eval before the table command:

... | eval Time=strftime(_time,"%a %b %e") | table Time,"TotalEmailsToSend: <registrar>",...

Then you can format your time however you please. A guide to strftime strings can be found at http://strftime.org/

0 Karma

gnovak
Builder

Tysonsteward, this works, but the time for some reason is really long. Instead of the time just being a simple date like April 19 2012 it's long and drawn out like 2012-04-15T00:00:00:000-04:00...any idea why?

0 Karma

tysonstewart
Path Finder

Gotcha. Sorry, needed to read a little closer. You'll have to spell out all the column names, but the table command should still do what you're looking for:

... | table _time,"TotalEmailsToSend: <registrar>","TotalEmailsSent: <registrar>",...

Casing and spaces matter.

0 Karma

gnovak
Builder

nay that didn't work.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...