- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to display the name of the FAILUR And SUCCESS...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
I have one requirement.
I have one TREND Chart where I am showing FAILURE ,SUCCESS AND Total Counts in a trend.
The problem I am facing is I have one drop down "Build Result" which consists of 3 values
AllBuildResult
SUCCESS
FAILURE
the problem is when I am selecting " SUCCESS" from drop down the values are coming Right but its showing Total as label instead of SUCCESS. same is happening with FAILURE as well.
Below is my code:
<row>
<panel>
<chart>
<title>Jenkins Builds Deployment Report</title>
<search>
<query>index="abc" sourcetype="xyz" $orgname$ $buildresult$ |
timechart span=1d count(BuildResult) by BuildResult useother=f limit=25|addtotals</query>
<earliest>$field4.earliest$</earliest>
<latest>$field4.latest$</latest>
</search>
<earliest>$field4.earliest$</earliest>
<latest>$field4.latest$</latest>
<sampleRatio>1</sampleRatio>
</search-->
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.text">Date</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.text">Count</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.showMarkers">1</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineDashStyle">longDash</option>
<option name="height">400</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">OrgFolderName</option>
</chart>
</panel>
</row>
Can someone guide me on that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK change to
| search BuildResult="$buildresult$"And you should be good to go
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try below? It is a kind of hack but I think helps,
index="abc" sourcetype="xyz" $orgname$ $buildresult$
| timechart span=1d count(BuildResult) by BuildResult useother=f limit=25
| addtotals
| eval Total=case(len("$buildresult$")>1,0,1=1,Total)It is setting Total to zero if SUCCESS or FAILURE selected.
If this reply helps you an upvote is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aditsss,
Since you are using "addtotals" command after your timechart it adds Total column. When you filter SUCCESS or FAILURE, SUCCESS count becomes the same as Total. You can try removing "addtotals" command.
If this reply helps you an upvote is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try:
<query>index="abc" sourcetype="xyz" $orgname$ $buildresult$ |
timechart span=1d count as $buildresult$ by BuildResult useother=f limit=25|addtotals</query>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this query but still facing the same issue. Below is my query for the same:
<query>index="abc" sourcetype="xyz" $orgname$ $buildresult$ |
timechart span=1d count as $buildresult$ by BuildResult useother=f limit=25|addtotals</query>
The problem is when I am selecting all build result from the drop down thats showing fine.
But when I select "SUCCESS" or "FAILURE" from the drop down its showing the correct values for SUCCESS AND FAILURE but the label is not coming correct.
I have attached the screenshot as well.
@ITWhisperer Can you please guide me .
Code
<row>
<panel>
<chart>
<title>Jenkins Builds Deployment Report</title>
<search>
<query>index="abc" sourcetype="xyz" $orgname$ $buildresult$ |
timechart span=1d count as $buildresult$ by BuildResult useother=f limit=25|addtotals</query>
<earliest>$field4.earliest$</earliest>
<latest>$field4.latest$</latest>
</search>
<earliest>$field4.earliest$</earliest>
<latest>$field4.latest$</latest>
<sampleRatio>1</sampleRatio>
</search-->
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.text">Date</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.text">Count</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.showMarkers">1</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineDashStyle">longDash</option>
<option name="height">400</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">OrgFolderName</option>
</chart>
</panel>
</row>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<query>index="abc" sourcetype="xyz" $orgname$ $buildresult$ |
timechart span=1d count as $buildresult$ by BuildResult useother=f limit=25</query>Try without addtotals as @scelikok suggested
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cant remove addtotals as I need to display three trends
One is for SUCCESS , one is for Failure and one is total trend (SUCCESS+ FAILURE)
How can I display the label correctly now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<query>index="abc" sourcetype="xyz" $orgname$
| bin _time span=1d
| stats count by _time BuildResult
| appendpipe [ stats sum(count) as count by _time | eval BuildResult="AllBuildResult" ]
| sort _time
| where BuildResult=$buildresult$
| xyseries _time BuildResult count
</query>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I write this query but getting this error:
Below is my query
index="abc" sourcetype="xyz" $orgname$ | bin _time span=1d
| stats count by _time BuildResult
| appendpipe [ stats sum(count) as count by _time | eval BuildResult="AllBuildResult" ]
| sort _time
| where BuildResult=$buildresult$
| xyseries _time BuildResult count
I am getting this Error on sceen
Error in 'where' command: Type checking failed. The '==' operator received different types.
Attached is the screenshot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="abc" sourcetype="xyz" $orgname$ | bin _time span=1d
| stats count by _time BuildResult
| appendpipe [ stats sum(count) as count by _time | eval BuildResult="AllBuildResult" ]
| sort _time
| where BuildResult="$buildresult$"
| xyseries _time BuildResult countTry putting the token in quotes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried with quotes but getting below error.
<row>
<panel>
<chart>
<title>Jenkins Builds Deployment Report</title>
<search>
<query>index="abc" sourcetype="xyz" $orgname$ | bin _time span=1d
| stats count by _time BuildResult
| appendpipe [ stats sum(count) as count by _time | eval BuildResult="AllBuildResult" ]
| sort _time
| where BuildResult="$buildresult$"
| xyseries _time BuildResult count</query>
<earliest>$field4.earliest$</earliest>
<latest>$field4.latest$</latest>
</search>
<earliest>$field4.earliest$</earliest>
<latest>$field4.latest$</latest>
<sampleRatio>1</sampleRatio>
</search-->
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.text">Date</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.text">Count</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.showMarkers">1</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="height">400</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">OrgFolderName</option>
</chart>
</panel>
</row>
Getting the below Error
Error in 'where' command: Type checking failed. '*' only takes numbers.
Attached is the screenshot for the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you show the code for your dropdown?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is the code for my drop down
<input type="multiselect" token="buildresult" searchWhenChanged="true">
<label>BuildResult</label>
<choice value="*">All BuildResult</choice>
<search>
<query>index="abc" sourcetype="hjt" | stats count by BuildResult</query>
<earliest>-90d@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>BuildResult</fieldForLabel>
<fieldForValue>BuildResult</fieldForValue>
<prefix>(</prefix>
<valuePrefix>BuildResult ="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<suffix>)</suffix>
<initialValue>*</initialValue>
<default>*</default>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you should use a single dropdown not a multi in this instance and remove the prefix, valuePrefix, valueSuffix, delimiter and suffix elements, because the way the token is being used in the query and from what I understand you are trying to do, the token really only needs one value. Also, change the default choice and choice value from * to AllBuildResult so that everything hangs together when this option is chosen
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I done the way you told me but I am not able to get any result.
Could you guide me where I am wrong.
Below is my code.'
Drop-down
<input type="dropdown" token="buildresult" searchWhenChanged="true">
<label>BuildResult</label>
<choice value="All BuildResult">All BuildResult</choice>
<search>
<query>index="abc" sourcetype="xyz" | stats count by BuildResult</query>
<earliest>-90d@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>BuildResult</fieldForLabel>
<fieldForValue>BuildResult</fieldForValue>
<initialValue>AllBuildResult</initialValue>
<default>AllBuildResult</default>
</input>
Panel Code
<row>
<panel>
<chart>
<title>Jenkins Builds Deployment Report</title>
<search>
<query>index="abc" sourcetype="xyz" $orgname$ | bin _time span=1d
| stats count by _time BuildResult
| appendpipe [ stats sum(count) as count by _time | eval BuildResult="AllBuildResult" ]
| sort _time
| where BuildResult="$buildresult$"
| xyseries _time BuildResult count</query>
<earliest>$field4.earliest$</earliest>
<latest>$field4.latest$</latest>
</search>
<earliest>$field4.earliest$</earliest>
<latest>$field4.latest$</latest>
<sampleRatio>1</sampleRatio>
</search-->
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.text">Date</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.text">Count</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.showMarkers">1</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="height">400</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">OrgFolderName</option>
</chart>
</panel>
</row>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you still get errors or just no rows? If no rows, you could try removing the quotes around buildresult again. Also, I noticed that "All BuildResult" has a space in the dropdown value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes its working now but the issue I am facing is when I am selecting "AllBuildResult" and that is also the value by default .
It should display all the three trends for "AllBuildResult" but its only displaying the total trend.
I want all the three trends to be displayed when "AllBuildResult" is there.
Below is my code:
<input type="dropdown" token="buildresult" searchWhenChanged="true">
<label>BuildResult</label>
<choice value="AllBuildResult">AllBuildResult</choice>
<search>
<query>index="abc" sourcetype="xyz" | stats count by BuildResult</query>
<earliest>-90d@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>BuildResult</fieldForLabel>
<fieldForValue>BuildResult</fieldForValue>
<initialValue>AllBuildResult</initialValue>
<default>AllBuildResult</default>
</input>
panel code:
<panel>
<chart>
<title>Jenkins Builds Deployment Report</title>
<search>
<query>index="abc" sourcetype="xyzt" $orgname$ | bin _time span=1d
| stats count by _time BuildResult
| appendpipe [ stats sum(count) as count by _time | eval BuildResult="AllBuildResult" ]
| sort _time
| where BuildResult="$buildresult$"
| xyseries _time BuildResult count</query>
<earliest>$field4.earliest$</earliest>
<latest>$field4.latest$</latest>
</search>
<earliest>$field4.earliest$</earliest>
<latest>$field4.latest$</latest>
<sampleRatio>1</sampleRatio>
</search-->
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.text">Date</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.text">Count</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.showMarkers">1</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="height">400</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">OrgFolderName</option>
</chart>
</panel>
</row>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK that wasn't clear. Change the value of All BuildResult in the drop down to * and the default and initial values to the same. Then change the eval BuildResult to "Total" or something like that (or you could leave it as "AllBuildResult"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I made the following changes but still getting total result trend only for ALL build Result
Drop down Code:
<input type="dropdown" token="buildresult" searchWhenChanged="true">
<label>BuildResult</label>
<choice value="*">AllBuildResult</choice>
<search>
<query>index="abc" sourcetype="xyz" | stats count by BuildResult</query>
<earliest>-90d@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>BuildResult</fieldForLabel>
<fieldForValue>BuildResult</fieldForValue>
<initialValue>*</initialValue>
<default>*</default>
</input>
panel code:
<row>
<panel>
<chart>
<title>Jenkins Builds Deployment Report</title>
<search>
<query>index="abc" sourcetype="xyz" $orgname$ | bin _time span=1d
| stats count by _time BuildResult
| appendpipe [ stats sum(count) as count by _time | eval BuildResult="AllBuildResult" ]
| sort _time
| where BuildResult="$buildresult$"
| xyseries _time BuildResult count</query>
<earliest>$field4.earliest$</earliest>
<latest>$field4.latest$</latest>
</search>
<earliest>$field4.earliest$</earliest>
<latest>$field4.latest$</latest>
<sampleRatio>1</sampleRatio>
</search-->
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.text">Date</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.text">Count</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.showMarkers">1</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="height">400</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">OrgFolderName</option>
</chart>
</panel>
</row>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please guide me on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So,
<query>index="abc" sourcetype="xyz" $orgname$ | bin _time span=1d
| stats count by _time BuildResult
| appendpipe [ stats sum(count) as count by _time | eval BuildResult="AllBuildResult" ]
| sort _time
| where BuildResult="*"
| xyseries _time BuildResult count</query>temporarily cutting out the use of the dropdown, what do you get if you change the panel query to:
.conf24 | Day 0
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
Troubleshooting the OpenTelemetry Collector
