Solved: How to create a PDF report with a varying number o...

subtrakt · ‎08-17-2015

Hi,

I have a search w/ a stats function that illustrates multiple individual errors. Once that search completes, I would like to see a 7 day the timechart for each individual error. Sometimes the report could generate 1 timechart in the PDF, or sometimes multiple errors in the pdf. Depending on what comes out of the stats.

This is the concept:
... | stats count by testERROR | where count > 10 | map timechart count by testERROR

create pdf and email with timecharts

woodcock · ‎08-17-2015

Like this

... [search ... | stats count by testERROR | where count > 10 | fields testERROR] | timechart count by testERROR

View solution in original post

woodcock · ‎08-17-2015

Like this

... [search ... | stats count by testERROR | where count > 10 | fields testERROR] | timechart count by testERROR

subtrakt · ‎09-05-2015

map [search index=test earliest=-2d testERROR =$testERROR $ | timechart fixedrange=F count by testERROR ]

Any idea how to make the Y axis less jumbled?

looks like its overwriting w/ each map loop

subtrakt · ‎09-05-2015

Yes the query worked - thanks again!

woodcock · ‎08-17-2015

If you prefer individual timecharts, then use map like this:

... | stats count by testERROR | where count > 10 | map search="search testError=$testERROR$ | timechart count"

woodcock · ‎08-19-2015

Did this work?

subtrakt · ‎08-17-2015

no map ? This looks like its just running a subsearch for the same thing.

I was hoping to take the output from a search and map it to individual searches w/ timecharts.

How to create a PDF report with a varying number of timecharts, dependent on unique stats results?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life