Dashboards & Visualizations

what setting display a chart on report

youngsuh
Contributor

Capture.PNG

We had PS create a report but, I can't seem to figure out what setting he set to show a time base chart without a time-based command.   He didn't use dashboard.   The graphic only shows on the report?  I want the ability to do similar type of visualization but, I can't figure what setting cause the visual output.

Labels (3)
0 Karma
1 Solution

youngsuh
Contributor

I'd figure it out.  It's saving the report with the Visualization tab.  Thanks for your help in point me towards the right direction.

View solution in original post

0 Karma

youngsuh
Contributor

I'd figure it out.  It's saving the report with the Visualization tab.  Thanks for your help in point me towards the right direction.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The x-axis of a chart is usually the first field / column in the result events used for the chart. Check your search query to ensure that the fields are in the correct order.

0 Karma

youngsuh
Contributor

Here is the SPL

index=$masked$_oracle src!=$masked$* dest=$masked$* ACTION_NAME IN ("*CREATE*","*ALTER*","*DROP*","*EXECUTE*") AND SQL_TEXT IN ("*CREATE TABLE*","*DROP TABLE*","*ALTER TABLE*","*TRUNCATE TABLE*","*CREATE FUNCTION*","*ALTER FUNCTION*","*DROP FUNCTION*","*CREATE PACKAGE BODY*","*ALTER PACKAGE BODY*","*DROP PACKAGE BODY*","*CREATE PACKAGE*","*ALTER PACKAGE*","*DROP PACKAGE*")
| stats values(user) as user values(ACTION_NAME) as dbSQLCommand, values(CLIENT_PROGRAM_NAME) as dbdlient dc(CLIENT_PROGRAM_NAME) as App_Making_chage_count dc(ACTION_NAME) as distinctSQLCommandsPerformed earliest(_time) as mostRecentTime by src, dest, SQL_TEXT
| convert ctime(mostRecentTime) 
| sort - mostRecentTime

 Here is the .conf

action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
action.webhook.enable_allowlist = 0
alert.track = 0
auto_summarize = 1
auto_summarize.dispatch.earliest_time = -3mon@d
cron_schedule = 0 1 * * 1
description = ```SRB Update: adjusted ACTION_NAME & SQL_TEXT Search Analyst-JYS : A/U-2024/01/10 : R/A-2024/01/12```\
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_view = search
search = index=$masked$_oracle src!=$masked$* dest=$masked$* ACTION_NAME IN ("*CREATE*","*ALTER*","*DROP*","*EXECUTE*") AND SQL_TEXT IN ("*CREATE TABLE*","*DROP TABLE*","*ALTER TABLE*","*TRUNCATE TABLE*","*CREATE FUNCTION*","*ALTER FUNCTION*","*DROP FUNCTION*","*CREATE PACKAGE BODY*","*ALTER PACKAGE BODY*","*DROP PACKAGE BODY*","*CREATE PACKAGE*","*ALTER PACKAGE*","*DROP PACKAGE*")\
| stats values(user) as user values(ACTION_NAME) as dbSQLCommand, values(CLIENT_PROGRAM_NAME) as dbdlient dc(CLIENT_PROGRAM_NAME) as App_Making_chage_count dc(ACTION_NAME) as distinctSQLCommandsPerformed earliest(_time) as mostRecentTime by src, dest, SQL_TEXT\
| convert ctime(mostRecentTime) \
| sort - mostRecentTime

 I don't see any where the visualization is set.  could you rephase "The x-axis of a chart is usually the first field / column in the result events used for the chart. Check your search query to ensure that the fields are in the correct order."  I don't get it because there is no chart command or setting in the report.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The first field mentioned in the by clause of the final stats command (which is src) will be / is your x-axis (see your graphic)

0 Karma

youngsuh
Contributor

Yes.  src is on the by clause, how do you display on the graph above the report & then table of the search results on the bottom for save report?

Or Am I not asking the question correctly?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK Now I understand what you mean - you could try creating a dashboard and schedule that as a PDF delivery - iirc this has to be Classic not Studio

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...