Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change Chart Type in a Saved Search

Blu3fish
Path Finder
‎08-25-2010 11:08 PM

Is it possible to edit a saved search after its initial creation in order to change the chart type (via the cli or ui)?

If not, are there any plans to introduce this functionality in future versions?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

zscgeek
Path Finder
‎08-25-2010 11:56 PM

I am not sure about via the CLI or Web UI but you can edit the viewstates.conf if needed, however the mapping between the saved search and the vsid can be a bit cryptic at times the first time you see it.

Lets assume you have a savedsearch.conf entry that looks like this:

[Media - Report - RTP Errors - Last 4 hours]
dispatch.earliest_time = -4h@h
dispatch.latest_time = now
displayview = report_builder_display
request.ui_dispatch_view = report_builder_display
search = rtpstat | extract rtpstat | where rtpErrRXTooMuchProcessed > 0 OR rtpErrNoData > 0 OR rtpErrRXUnterminatedDTMFs > 0 OR rtpErrRXSpamPackets >0  OR rtpErrRXProatvDroppedPkts > 0 OR rtpErrTXSendErrors > 0 | timechart sum(rtpErrRXSpamPackets) sum(rtpErrRXTooMuchProcessed) sum(rtpErrRXUnterminatedDTMFs) sum(rtpErrRXVoicePktDroppedDurDTMF) sum(rtpErrTXSendErrors)
vsid = *:gd1t63rz

What you can do is look up that vsid (gd1t63rz) in viewstates.conf to find the formatter for that view:

[*:gd1t63rz]
ChartTitleFormatter_0_6_0.default = RTP Error Counts
ChartTypeFormatter_0_4_0.default = line
Count_0_3_0.default = 50
DataOverlay_0_5_0.dataOverlayMode = none
DataOverlay_0_5_0.default = heatmap
FlashChart_0_4_1.height = 504px
LegendFormatter_0_10_0.default = right
LineMarkerFormatter_0_7_0.default = false
NullValueFormatter_0_9_0.default = gaps
SplitModeFormatter_0_8_0.default = false
StackModeFormatter_0_7_0.default = default
XAxisTitleFormatter_0_6_1.default = time

In this entry the line you would want to edit is the "ChartTypeFormatter_0_4_0.default = line" entry to have the type that you are looking for.

View solution in original post

Reply
Solved! Jump to solution

Gaurav
Splunk Employee
Splunk Employee
‎08-26-2010 06:32 PM

Yes, you can change the chart type for a previously saved search via the UI.

  1. Open up the saved search you previously created. You can do this by selecting it from the Searches and Reports dropdown from the search interface, or from Splunk Manager (Searches and Reports) and clicking "Run"

  2. Your search should open in the report builder. Click the "Edit Report" button.

  3. Change your chart type, or any other properties you wish and click the "Apply" button

  4. Click "Save" -> "Save report"

Essentially the above does the same thing described by the zscgeek on the back-end (edits the viewstate), but via the UI.

Reply
Solved! Jump to solution

carasso
Splunk Employee
Splunk Employee
‎12-30-2010 12:34 AM

filed in bug system as SPL-36529.

0 Karma
Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-26-2010 10:15 PM

This doesn't seem to work for saved searches saved from flashtimeline or Manager (or from the conf files directly).

Reply
Solved! Jump to solution
Solution

zscgeek
Path Finder
‎08-25-2010 11:56 PM

I am not sure about via the CLI or Web UI but you can edit the viewstates.conf if needed, however the mapping between the saved search and the vsid can be a bit cryptic at times the first time you see it.

Lets assume you have a savedsearch.conf entry that looks like this:

[Media - Report - RTP Errors - Last 4 hours]
dispatch.earliest_time = -4h@h
dispatch.latest_time = now
displayview = report_builder_display
request.ui_dispatch_view = report_builder_display
search = rtpstat | extract rtpstat | where rtpErrRXTooMuchProcessed > 0 OR rtpErrNoData > 0 OR rtpErrRXUnterminatedDTMFs > 0 OR rtpErrRXSpamPackets >0  OR rtpErrRXProatvDroppedPkts > 0 OR rtpErrTXSendErrors > 0 | timechart sum(rtpErrRXSpamPackets) sum(rtpErrRXTooMuchProcessed) sum(rtpErrRXUnterminatedDTMFs) sum(rtpErrRXVoicePktDroppedDurDTMF) sum(rtpErrTXSendErrors)
vsid = *:gd1t63rz

What you can do is look up that vsid (gd1t63rz) in viewstates.conf to find the formatter for that view:

[*:gd1t63rz]
ChartTitleFormatter_0_6_0.default = RTP Error Counts
ChartTypeFormatter_0_4_0.default = line
Count_0_3_0.default = 50
DataOverlay_0_5_0.dataOverlayMode = none
DataOverlay_0_5_0.default = heatmap
FlashChart_0_4_1.height = 504px
LegendFormatter_0_10_0.default = right
LineMarkerFormatter_0_7_0.default = false
NullValueFormatter_0_9_0.default = gaps
SplitModeFormatter_0_8_0.default = false
StackModeFormatter_0_7_0.default = default
XAxisTitleFormatter_0_6_1.default = time

In this entry the line you would want to edit is the "ChartTypeFormatter_0_4_0.default = line" entry to have the type that you are looking for.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...