Splunk Search
Highlighted

How to create a PDF report with a varying number of timecharts, dependent on unique stats results?

Contributor

Hi,

I have a search w/ a stats function that illustrates multiple individual errors. Once that search completes, I would like to see a 7 day the timechart for each individual error. Sometimes the report could generate 1 timechart in the PDF, or sometimes multiple errors in the pdf. Depending on what comes out of the stats.

This is the concept:
... | stats count by testERROR | where count > 10 | map timechart count by testERROR

create pdf and email with timecharts

0 Karma
Highlighted

Re: How to create a PDF report with a varying number of timecharts, dependent on unique stats results?

Esteemed Legend

Like this

... [search ... | stats count by testERROR | where count > 10 | fields testERROR] | timechart count by testERROR

View solution in original post

0 Karma
Highlighted

Re: How to create a PDF report with a varying number of timecharts, dependent on unique stats results?

Contributor

no map ? This looks like its just running a subsearch for the same thing.

I was hoping to take the output from a search and map it to individual searches w/ timecharts.

0 Karma
Highlighted

Re: How to create a PDF report with a varying number of timecharts, dependent on unique stats results?

Esteemed Legend

If you prefer individual timecharts, then use map like this:

... | stats count by testERROR | where count > 10 | map search="search testError=$testERROR$ | timechart count"
0 Karma
Highlighted

Re: How to create a PDF report with a varying number of timecharts, dependent on unique stats results?

Esteemed Legend

Did this work?

0 Karma
Highlighted

Re: How to create a PDF report with a varying number of timecharts, dependent on unique stats results?

Contributor

Yes the query worked - thanks again!

0 Karma
Highlighted

Re: How to create a PDF report with a varying number of timecharts, dependent on unique stats results?

Contributor

map [search index=test earliest=-2d testERROR =$testERROR $ | timechart fixedrange=F count by testERROR ]

Any idea how to make the Y axis less jumbled?

looks like its overwriting w/ each map loop

0 Karma