Dashboards & Visualizations

generating a bar chart

gnovak
Builder

I'm trying to make a bar chart but for some reason i'm having some difficulty. I'd like to have it where my saved search generates the chart without having to make a dashboard. is that possible?

My search looks through a log and shows the disk usages for users home directories.

 sourcetype=DiskUsageTest | rex field=_raw "(?<Space>[\d]+)\s*\/home\/(?<UserName>\S+)" max_match=1000 | table UserName Space

I'd like to put this into a bar chart. I tried piping the search to timechart as well but haven't been successful. For right now I have it piped to table to see the results.

The search will display a username and the space they are using. Each is a single event. I've looked at some documentation too and just can't seem to get this to work.

What command would I use at the end of the search to make a bar graph? i've read about timechart and stats and am a bit confused what would work. I'll keep trying but figured I'd ask here.

I'd like to have the usernames displayed on the left side of the chart and the space values at the bottom.

I tried putting | timechart avg(Space) by UserName at the end but this didn't seem to generate the results I want either.

Tags (2)
0 Karma

gnovak
Builder

actually I got it to work! After I messed with it for a while I finally got it. I made a dashboard and used the saved search with the "timechart" command to generate the chart. It was a bit crowded when it generated so i just stretched it down and it appears ok.

So if the dashboard bar graph is crowded to where I have to stretch it down, any way to maybe space it better? that's the next thing I will research.

0 Karma

Ayn
Legend

So if I understand you correctly you've got the data correctly from timechart but need to know how to get this data into a bar chart?

The search app always shows the flash timeline that you see below the search window. There is no changing this (well at least not without lots of work and/or pretty much breaking the search app). To use the stats you've gotten from timechart in a chart, use the "Show report" link to the right underneath the search button. This takes you to the report builder where you can choose the type of chart you want to use and some other things, before you finally click Apply and create the actual chart.

0 Karma

gnovak
Builder

The last thing I am working on is having this search span for 7 days and show the top 20 users who have the highest amount of space for the last 7 days.

0 Karma

gnovak
Builder

and above is the code from the dashboard

0 Karma

gnovak
Builder





Usage by User Ynfs
Andrew ynfs1 search
bar
500
UserName
Space
true
top


0 Karma

gnovak
Builder

This was able to generate a chart for me when I put it into a dashboard XML file. host="ynfs1" sourcetype=userdiskusage earliest=-1d@d latest=-0d@d | rex field=_raw "(?[\d]+)\s*\/home\/(?\S+)" max_match=1000 | search NOT UserName="shares" | table UserName Space | sort -Space | head 20

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...