Solved: Re: How to create a PDF report with a varying numb...

subtrakt · ‎08-17-2015

Hi,

I have a search w/ a stats function that illustrates multiple individual errors. Once that search completes, I would like to see a 7 day the timechart for each individual error. Sometimes the report could generate 1 timechart in the PDF, or sometimes multiple errors in the pdf. Depending on what comes out of the stats.

This is the concept:
... | stats count by testERROR | where count > 10 | map timechart count by testERROR

create pdf and email with timecharts

woodcock · ‎08-17-2015

Like this

... [search ... | stats count by testERROR | where count > 10 | fields testERROR] | timechart count by testERROR

View solution in original post

woodcock · ‎08-17-2015

Like this

... [search ... | stats count by testERROR | where count > 10 | fields testERROR] | timechart count by testERROR

subtrakt · ‎09-05-2015

map [search index=test earliest=-2d testERROR =$testERROR $ | timechart fixedrange=F count by testERROR ]

Any idea how to make the Y axis less jumbled?

looks like its overwriting w/ each map loop

subtrakt · ‎09-05-2015

Yes the query worked - thanks again!

woodcock · ‎08-17-2015

If you prefer individual timecharts, then use map like this:

... | stats count by testERROR | where count > 10 | map search="search testError=$testERROR$ | timechart count"

woodcock · ‎08-19-2015

Did this work?

subtrakt · ‎08-17-2015

no map ? This looks like its just running a subsearch for the same thing.

I was hoping to take the output from a search and map it to individual searches w/ timecharts.

How to create a PDF report with a varying number of timecharts, dependent on unique stats results?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk