generating a bar chart

gnovak · ‎12-05-2011

I'm trying to make a bar chart but for some reason i'm having some difficulty. I'd like to have it where my saved search generates the chart without having to make a dashboard. is that possible?

My search looks through a log and shows the disk usages for users home directories.

 sourcetype=DiskUsageTest | rex field=_raw "(?<Space>[\d]+)\s*\/home\/(?<UserName>\S+)" max_match=1000 | table UserName Space

I'd like to put this into a bar chart. I tried piping the search to timechart as well but haven't been successful. For right now I have it piped to table to see the results.

The search will display a username and the space they are using. Each is a single event. I've looked at some documentation too and just can't seem to get this to work.

What command would I use at the end of the search to make a bar graph? i've read about timechart and stats and am a bit confused what would work. I'll keep trying but figured I'd ask here.

I'd like to have the usernames displayed on the left side of the chart and the space values at the bottom.

I tried putting | timechart avg(Space) by UserName at the end but this didn't seem to generate the results I want either.

gnovak · ‎12-05-2011

actually I got it to work! After I messed with it for a while I finally got it. I made a dashboard and used the saved search with the "timechart" command to generate the chart. It was a bit crowded when it generated so i just stretched it down and it appears ok.

So if the dashboard bar graph is crowded to where I have to stretch it down, any way to maybe space it better? that's the next thing I will research.

Ayn · ‎12-05-2011

So if I understand you correctly you've got the data correctly from timechart but need to know how to get this data into a bar chart?

The search app always shows the flash timeline that you see below the search window. There is no changing this (well at least not without lots of work and/or pretty much breaking the search app). To use the stats you've gotten from timechart in a chart, use the "Show report" link to the right underneath the search button. This takes you to the report builder where you can choose the type of chart you want to use and some other things, before you finally click Apply and create the actual chart.

gnovak · ‎12-05-2011

The last thing I am working on is having this search span for 7 days and show the top 20 users who have the highest amount of space for the last 7 days.

gnovak · ‎12-05-2011

and above is the code from the dashboard

gnovak · ‎12-05-2011

Email Summary

Usage by User Ynfs
Andrew ynfs1 search
bar
500
UserName
Space
true
top

gnovak · ‎12-05-2011

This was able to generate a chart for me when I put it into a dashboard XML file. host="ynfs1" sourcetype=userdiskusage earliest=-1d@d latest=-0d@d | rex field=_raw "(?[\d]+)\s*\/home\/(?\S+)" max_match=1000 | search NOT UserName="shares" | table UserName Space | sort -Space | head 20

generating a bar chart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

generating a bar chart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...