- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Chart data from 2 saved searches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Is it possible to chart data from 2 saved searches? I currently have 2 charts that are generated, each using a single saved search to generate each chart. What I'd like to do is combine 2 saved searches into one chart. The chart is displaying the data in columns.
Currently the code I have in my dashboard to generate the charts is below:
<row>
<chart>
<title>Total Emails To Send For All Registries</title>
<searchName>balance_email_to_send</searchName>
<option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Date</option>
<option name="charting.secondaryAxisTitle.text">Number of Emails</option>
<option name="charting.chart.useAbsoluteSpacing">true</option>
<option name="charting.chart.columnSpacing">5</option>
<option name="charting.legend.placement">top</option>
</chart>
<chart>
<chart>
<title>Total Emails Sent To All Registries</title>
<searchName>balance_email_sent</searchName>
<option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Date</option>
<option name="charting.secondaryAxisTitle.text">Number of Emails</option>
<option name="charting.chart.useAbsoluteSpacing">true</option>
<option name="charting.chart.columnSpacing">5</option>
<option name="charting.legend.placement">top</option>
</chart>
How can I have both of these saved searches generate data in 1 chart? Oh and also add another color and category to the legend too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to get a single search returning the combined results of both searches:
sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent
| rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent."
| search TotalEmailsToSend="*" OR TotalEmailsSent="*"
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to get a single search returning the combined results of both searches:
sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent
| rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent."
| search TotalEmailsToSend="*" OR TotalEmailsSent="*"
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chart generated nicely! Thanks for the help as I missed a few minor details as usual!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked. sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?
| timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm going to play with it a little though....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no go on that search...it doesn't like the regex...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the 2 saved searches:
Total Emails to Send search:
sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsToSend="*" | timechart sum(TotalEmailsToSend)
Total Emails Sent search:
sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="120" BalanceEmail sent | rex field=_raw "[BalanceEmail] ?(?[\d]+) of (?[\d]+) of email notification sent." | search TotalEmailsSent="*" | timechart sum(TotalEmailsSent)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without knowing the exact search, it is extremly difficult to advise on how to insert a second set of results into the same chart. You might be able to use the "append" command to add in a separate set of results to a specific search, then create a chart based off of that complete result set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll have to research the append command a bit further!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
